[ { "path": ".clang-format", "content": "---\nBasedOnStyle: Mozilla\nAccessModifierOffset: '-4'\nAlignAfterOpenBracket: Align\nAlignConsecutiveMacros:\n Enabled: true\n AcrossEmptyLines: false\n AcrossComments: true\nAlignEscapedNewlines: Left\nAlignOperands: true\nAlignTrailingComments:\n Kind: Always\n OverEmptyLines: 1\nAllowAllParametersOfDeclarationOnNextLine: true\nAllowShortBlocksOnASingleLine: Never\nAllowShortCaseLabelsOnASingleLine: false\nAllowShortFunctionsOnASingleLine: None\nAllowShortIfStatementsOnASingleLine: Never\nAllowShortLoopsOnASingleLine: false\nBinPackArguments: true\nBinPackParameters: true\nBreakAfterReturnType: AllDefinitions\nBreakBeforeBinaryOperators: NonAssignment\nBreakBeforeBraces: Allman\nBreakBeforeTernaryOperators: true\nBreakStringLiterals: false\nColumnLimit: '0'\nContinuationIndentWidth: '4'\nDerivePointerAlignment: false\nIndentCaseLabels: true\nIndentGotoLabels: false\nIndentWidth: '4'\nIndentWrappedFunctionNames: false\nInsertBraces: true\nKeepEmptyLinesAtTheStartOfBlocks: false\nMaxEmptyLinesToKeep: '2'\nPointerAlignment: Right\nReflowComments: true\nSortIncludes: false\nSpaceAfterCStyleCast: false\nSpaceBeforeAssignmentOperators: true\nSpaceBeforeParens: ControlStatements\nSpacesBeforeTrailingComments: '2'\nSpacesInParens: Never\nTabWidth: '4'\nTypeNames: [DWORD]\nUseTab: Never\nWhitespaceSensitiveMacros: [_STRINGIFY]\n---\nLanguage: C\n---\nLanguage: Cpp\n" }, { "path": ".git-blame-ignore-revs", "content": "# This FILE allows git blame to ignore reformatting changes and instead\n# shows the previous commit that changed the line.\n#\n# To avoid manually building the list of commits this commit\n# adds a file with a list of reformatting commits. TO use:\n#\n# git blame --ignore-revs-file=.git-blame-ignore-revs file\n#\n# or to automatically always use the file\n#\n# git config blame.ignoreRevsFile .git-blame-ignore-revs\n\n# Uncrustify 2020/06... (engine, pool, SSO)\nc1ff8f247f91c88a2df5502eeedf42857f9a6831\n\n# Uncrustify the tests/unit_tests/ part of our tree.\nda1574ef7826d73f01e120cbd1ba40ce39a305b7\n\n# Another round of uncrustify code cleanup.\n9cf7b4925a54d93fbea1cadcf3dc0e11f3ce358f\n\n# networking_sitnl.c: uncrustify file\n2c45d268ca65c522fbabb7c4dab5e721296b4623\n\n# Uncrustify tapctl and openvpnmsica\n6280d3d5536174934ee22d3840457d61896e0e3a\n\n# tun.c: uncrustify\nbaef44fc8769bbd99f4d699ce9f63180c29a5455\n\n# networking_sitnl.c: uncrustify file\n2c45d268ca65c522fbabb7c4dab5e721296b4623\n\n# uncrustify openvpn sources\nf57431cdc88f22fa4d7962946f0d3187fe058539\n\n# More broadly enforce Allman style and braces-around-conditionals\n4cd4899e8e80efae03c584a760fd107251735723\n\n# The Great Reformatting - first phase\n81d882d5302b8b647202a6893b57dfdc61fd6df2\n\n# Fix trailing-whitespace errors in last patch.\n3282632d9325267c850072db7545a884a1637f51\n\n# The Great Reformatting of 2022\nabe49856d81f51136d543539202a0bf8fb946474\n\n# Reformat for sp_after_comma=add\ne51d9a73693ee742b36e19fb1718e5e27167831d\n\n# The Great Reformatting of 2025, switching to clang-format\n3cca3367e6e0ffeccb8e39cb2c739d1dcb086701\n# Switching to ColumnLimit 0 for clang-format\n21f7d6e1ad65b1f7db673bc98764dc7325858e0b\n" }, { "path": ".gitattributes", "content": "*.c eol=lf\n*.h eol=lf\n*.rc eol=lf\n*.txt eol=lf\n*.bat eol=lf\n*.vc*proj* eol=crlf\n*.sln eol=crlf\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**IMPORTANT NOTE**\nBugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net\n\n**Describe the bug**\nA clear and concise description of what the bug is.\n\n**To Reproduce**\nSteps to reproduce the behavior. Please make sure to not post any secrets like keys and passwords.\n\n**Expected behavior**\nA clear and concise description of what you expected to happen.\n\n**Version information (please complete the following information):**\n - OS: [e.g. Ubuntu 22.04]\n - OpenVPN version: [e.g. 2.5.8]\n - Repeat for peer if relevant\n\n**Additional context**\nAdd any other context about the problem here.\n" }, { "path": ".github/PULL_REQUEST_TEMPLATE.md", "content": "# Thank you for your contribution\n\nYou are welcome to open PR, but they are used for discussion only. All\npatches must eventually go to the openvpn-devel mailing list for review:\n\n* https://lists.sourceforge.net/lists/listinfo/openvpn-devel\n\nPlease send your patch using [git-send-email](https://git-scm.com/docs/git-send-email). For example to send your latest commit to the list:\n\n $ git send-email --to=openvpn-devel@lists.sourceforge.net HEAD~1\n\nFor details, see these Wiki articles:\n\n* https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation\n* https://community.openvpn.net/openvpn/wiki/Contributing\n" }, { "path": ".github/workflows/build.yaml", "content": "# The name of our workflow\nname: Build\non:\n push:\n pull_request:\n\njobs:\n clang-format:\n name: Check code style with clang-format\n runs-on: ubuntu-24.04\n steps:\n - name: Install dependencies\n run: |\n sudo apt update && sudo apt install -y python3-pip\n pip3 install pre-commit\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: Run clang-format\n run: pre-commit run -a --show-diff-on-failure || true\n - name: Check for changes\n run: git diff --output=format-changes.patch\n - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0\n with:\n name: format-changes.patch\n path: format-changes.patch\n - name: Set job status\n run: test ! -s format-changes.patch\n\n android:\n strategy:\n fail-fast: false\n matrix:\n abi: [ arm64-v8a ]\n include:\n - abi: arm64-v8a\n vcpkg_triplet: arm64-android\n runs-on: ubuntu-24.04\n name: \"Android - ${{ matrix.abi }}\"\n # Github images already setup NDK with ANDROID_NDK_ROOT pointing to the root\n # of the SDK\n env:\n VCPKG_DEFAULT_TRIPLET: ${{ matrix.vcpkg_triplet }}\n VCPKG_ROOT: ${{ github.workspace }}/vcpkg\n VCPKG_INSTALLED_DIR: ${{ github.workspace }}/vcpkg/installed\n steps:\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3\n - name: Install vcpkg\n uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5\n with:\n vcpkgGitCommitId: e5a1490e1409d175932ef6014519e9ae149ddb7c\n - name: Install dependencies\n run: ${VCPKG_ROOT}/vcpkg install openssl lz4 cmocka\n - name: configure OpenVPN with cmake\n run: |\n cmake -S . -B openvpn-build -DUNSUPPORTED_BUILDS=yes \\\n -DCMAKE_SYSTEM_NAME=Android -DCMAKE_SYSTEM_VERSION=28 \\\n -DCMAKE_ANDROID_ARCH_ABI=${{ matrix.abi }} \\\n -DOPENSSL_ROOT_DIR=${VCPKG_INSTALLED_DIR}/${{ matrix.vcpkg_triplet }} \\\n -DENABLE_PKCS11=false -DBUILD_TESTING=true -DENABLE_LZO=false\n - name: Build OpenVPN Android binary with cmake\n run: cmake --build openvpn-build\n\n\n mingw:\n strategy:\n fail-fast: false\n matrix:\n arch: [x86, x64]\n build: [Release, Debug]\n\n name: \"gcc-mingw - ${{ matrix.arch }} - ${{matrix.build }} - OSSL\"\n runs-on: ubuntu-24.04\n env:\n VCPKG_ROOT: ${{ github.workspace }}/vcpkg\n steps:\n - name: Install dependencies\n run: sudo apt update && sudo apt install -y mingw-w64 unzip build-essential wget python3-docutils man2html-base\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3\n - name: Restore from cache and install vcpkg\n uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5\n with:\n vcpkgGitCommitId: e5a1490e1409d175932ef6014519e9ae149ddb7c\n vcpkgJsonGlob: '**/mingw/vcpkg.json'\n\n - name: Run CMake with vcpkg.json manifest\n uses: lukka/run-cmake@af1be47fd7c933593f687731bc6fdbee024d3ff4 # v10.8\n with:\n configurePreset: mingw-${{ matrix.arch }}\n buildPreset: mingw-${{ matrix.arch }}\n buildPresetAdditionalArgs: \"['--config ${{ matrix.build }}']\"\n\n - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0\n with:\n name: openvpn-mingw-${{ matrix.arch }}-${{ matrix.build }}\n path: |\n ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/**/${{ matrix.build }}/*.exe\n ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/**/${{ matrix.build }}/*.dll\n !${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/**/${{ matrix.build }}/test_*.exe\n\n - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0\n with:\n name: openvpn-mingw-${{ matrix.arch }}-${{ matrix.build }}-tests\n path: |\n ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/**/${{ matrix.build }}/test_*.exe\n ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/${{ matrix.build }}/*.dll\n\n mingw-unittest:\n needs: [ mingw ]\n strategy:\n fail-fast: false\n matrix:\n arch: [x86, x64]\n test: [argv, auth_token, buffer, cryptoapi, crypto, misc, options_parse, ncp, openvpnserv, packet_id, pkt, provider, ssl, tls_crypt, user_pass]\n build: [Release, Debug]\n\n runs-on: windows-2025\n name: \"mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - ${{ matrix.build }} - OSSL\"\n steps:\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: Retrieve mingw unittest\n uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0\n with:\n name: openvpn-mingw-${{ matrix.arch }}-${{ matrix.build }}-tests\n path: unittests\n - name: Run ${{ matrix.test }} unit test\n run: |\n $test_file=(Get-ChildItem -Path unittests -Filter test_${{ matrix.test }}.exe -Recurse).fullname\n & $test_file\n env:\n srcdir: \"${{ github.workspace }}/tests/unit_tests/openvpn\"\n\n ubuntu:\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-22.04, ubuntu-24.04]\n sslpkg: [libssl-dev]\n ssllib: [openssl]\n\n include:\n - os: ubuntu-22.04\n libname: OpenSSL 3.0.2\n pkcs11pkg: \"libpkcs11-helper1-dev softhsm2 gnutls-bin\"\n extraconf: --enable-pkcs11\n - os: ubuntu-24.04\n libname: OpenSSL 3.0.13\n pkcs11pkg: \"libpkcs11-helper1-dev softhsm2 gnutls-bin\"\n extraconf: --enable-pkcs11\n\n name: \"gcc - ${{matrix.os}} - ${{matrix.libname}} ${{matrix.extraconf}}\"\n env:\n SSLPKG: \"${{matrix.sslpkg}}\"\n PKCS11PKG: \"${{matrix.pkcs11pkg}}\"\n\n runs-on: ${{matrix.os}}\n steps:\n - name: Install dependencies\n run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG}\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: autoconf\n run: autoreconf -fvi\n - name: configure\n run: ./configure --with-crypto-library=${{matrix.ssllib}} ${{matrix.extraconf}} --enable-werror\n - name: make all\n run: make -j3\n - name: configure checks\n if: ${{ matrix.extraconf != '--disable-management' }}\n run: echo 'RUN_SUDO=\"sudo -E\"' >tests/t_server_null.rc\n - name: make check\n run: make -j3 check VERBOSE=1\n\n ubuntu-clang-asan:\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-22.04, ubuntu-24.04]\n ssllib: [openssl]\n\n name: \"clang-asan - ${{matrix.os}} - ${{matrix.ssllib}}\"\n\n env:\n UBSAN_OPTIONS: print_stacktrace=1\n\n runs-on: ${{matrix.os}}\n steps:\n - name: Install dependencies\n run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: autoconf\n run: autoreconf -fvi\n - name: configure\n run: CFLAGS=\"-fsanitize=address,undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -O2\" CC=clang ./configure --with-crypto-library=${{matrix.ssllib}} --enable-werror\n - name: make all\n run: make -j3\n - name: configure checks\n run: echo 'RUN_SUDO=\"sudo -E\"' >tests/t_server_null.rc\n - name: make check\n run: make -j3 check VERBOSE=1\n\n macos:\n strategy:\n fail-fast: false\n matrix:\n ssllib: [openssl@3, libressl]\n build: [normal, asan]\n os: [macos-14, macos-15, macos-26]\n include:\n - build: asan\n cflags: \"-fsanitize=address,undefined -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1\"\n ldflags: -fsanitize=address,undefined -fno-sanitize-recover=all\n # Our build system ignores LDFLAGS for plugins\n configureflags: --disable-plugin-auth-pam --disable-plugin-down-root\n - build: normal\n cflags: \"-O2 -g\"\n ldflags: \"\"\n configureflags: \"\"\n\n runs-on: ${{matrix.os}}\n name: \"${{matrix.os}} - ${{matrix.ssllib}} - ${{matrix.build}}\"\n env:\n CFLAGS: ${{ matrix.cflags }}\n LDFLAGS: ${{ matrix.ldflags }}\n UBSAN_OPTIONS: print_stacktrace=1\n steps:\n - name: Install dependencies\n run: brew install ${{matrix.ssllib}} lzo lz4 man2html cmocka libtool automake autoconf\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: Set environment\n run: |\n cat >>$GITHUB_ENV <tests/t_server_null.rc\n - name: make check\n run: make -j4 check VERBOSE=1\n\n msvc:\n strategy:\n fail-fast: false\n matrix:\n arch: [amd64, x86, arm64, amd64-clang, x86-clang]\n\n name: \"msbuild - ${{ matrix.arch }} - openssl\"\n env:\n BUILD_CONFIGURATION: Release\n\n runs-on: windows-2025\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3\n\n - name: Install rst2html\n run: python -m pip install --upgrade pip docutils\n\n - name: Restore artifacts, or setup vcpkg (do not install any package)\n uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5\n with:\n vcpkgGitCommitId: e5a1490e1409d175932ef6014519e9ae149ddb7c\n vcpkgJsonGlob: '**/windows/vcpkg.json'\n\n - name: Run CMake with vcpkg.json manifest (NO TESTS)\n uses: lukka/run-cmake@af1be47fd7c933593f687731bc6fdbee024d3ff4 # v10.8\n if: ${{ matrix.arch == 'arm64' }}\n with:\n configurePreset: win-${{ matrix.arch }}-release\n buildPreset: win-${{ matrix.arch }}-release\n\n - name: Run CMake with vcpkg.json manifest\n uses: lukka/run-cmake@af1be47fd7c933593f687731bc6fdbee024d3ff4 # v10.8\n if: ${{ matrix.arch != 'arm64' }}\n with:\n configurePreset: win-${{ matrix.arch }}-release\n buildPreset: win-${{ matrix.arch }}-release\n testPreset: win-${{ matrix.arch }}-release\n testPresetAdditionalArgs: \"['--output-on-failure']\"\n\n - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0\n with:\n name: openvpn-msvc-${{ matrix.arch }}\n path: |\n ${{ github.workspace }}/out/**/*.exe\n ${{ github.workspace }}/out/**/*.dll\n !${{ github.workspace }}/out/**/test_*.exe\n !${{ github.workspace }}/out/**/CMakeFiles/**\n !${{ github.workspace }}/out/**/vcpkg_installed/**\n\n libressl:\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-24.04]\n ssllib: [libressl]\n build: [ normal, asan ]\n configureflags: [\"--with-openssl-engine=no\"]\n include:\n - build: asan\n cflags: \"-fsanitize=address -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1\"\n ldflags: -fsanitize=address -fno-sanitize-recover=all\n cc: clang\n - build: normal\n cflags: \"-O2 -g\"\n ldflags: \"\"\n cc: gcc\n\n name: \"${{matrix.cc}} ${{matrix.build}} - ${{matrix.os}} - ${{matrix.ssllib}}\"\n runs-on: ${{matrix.os}}\n env:\n CFLAGS: ${{ matrix.cflags }}\n LDFLAGS: ${{ matrix.ldflags }}\n CC: ${{matrix.cc}}\n UBSAN_OPTIONS: print_stacktrace=1\n\n steps:\n - name: Install dependencies\n run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf pkg-config libcap-ng-dev libnl-genl-3-dev\n - name: \"libressl: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n path: libressl\n # versioning=semver-coerced\n repository: libressl/portable\n ref: v4.2.1\n - name: \"libressl: autogen.sh\"\n env:\n LIBRESSL_GIT_OPTIONS: \"--no-single-branch\"\n run: ./autogen.sh\n working-directory: libressl\n - name: \"libressl: configure\"\n run: ./configure\n working-directory: libressl\n - name: \"libressl: make all\"\n run: make -j3\n working-directory: libressl\n - name: \"libressl: make install\"\n run: sudo make install\n working-directory: libressl\n - name: \"ldconfig\"\n run: sudo ldconfig\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: autoconf\n run: autoreconf -fvi\n - name: configure\n run: ./configure --with-crypto-library=openssl ${{matrix.configureflags}} --enable-werror\n - name: make all\n run: make -j3\n - name: Ensure the build uses LibreSSL\n run: |\n ./src/openvpn/openvpn --version\n ./src/openvpn/openvpn --version | grep -q \"library versions: LibreSSL\"\n - name: configure checks\n run: echo 'RUN_SUDO=\"sudo -E\"' >tests/t_server_null.rc\n - name: make check\n run: make -j3 check VERBOSE=1\n\n mbedtls4:\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-24.04]\n ssllib: [mbedtls4]\n build: [ normal, asan ]\n include:\n - build: asan\n cflags: \"-fsanitize=address -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1\"\n ldflags: -fsanitize=address -fno-sanitize-recover=all\n cc: clang\n - build: normal\n cflags: \"-O2 -g\"\n ldflags: \"\"\n cc: gcc\n\n name: \"${{matrix.cc}} ${{matrix.build}} - ${{matrix.os}} - ${{matrix.ssllib}}\"\n runs-on: ${{matrix.os}}\n env:\n CFLAGS: ${{ matrix.cflags }}\n LDFLAGS: ${{ matrix.ldflags }}\n CC: ${{matrix.cc}}\n UBSAN_OPTIONS: print_stacktrace=1\n\n steps:\n - name: Install dependencies\n run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils python3-jinja2 python3-jsonschema libtool automake autoconf pkg-config libcap-ng-dev libnl-genl-3-dev\n - name: \"mbedtls: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n path: mbedtls\n submodules: recursive\n # versioning=semver-coerced\n repository: Mbed-TLS/mbedtls\n ref: v4.0.0\n - uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3\n - name: \"mbedtls: cmake\"\n run: cmake -B build\n working-directory: mbedtls\n - name: \"mbedtls: cmake --build\"\n run: cmake --build build\n working-directory: mbedtls\n - name: \"mbedtls: cmake --install\"\n run: sudo cmake --install build --prefix /usr\n working-directory: mbedtls\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: autoconf\n run: autoreconf -fvi\n - name: configure\n run: ./configure --with-crypto-library=mbedtls --enable-werror\n - name: make all\n run: make -j3\n - name: Ensure the build uses mbed TLS 4.x\n run: |\n ./src/openvpn/openvpn --version\n ./src/openvpn/openvpn --version | grep -q \"library versions: mbed TLS 4.\"\n - name: configure checks\n run: echo 'RUN_SUDO=\"sudo -E\"' >tests/t_server_null.rc\n - name: make check\n run: make -j3 check VERBOSE=1\n\n aws-lc:\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-24.04]\n ssllib: [ awslc ]\n build: [ normal, asan ]\n include:\n - build: asan\n cflags: \"-fsanitize=address -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1\"\n ldflags: -fsanitize=address -fno-sanitize-recover=all\n cc: clang\n cxx: clang++\n - build: normal\n cflags: \"-O2 -g\"\n ldflags: \"\"\n cc: gcc\n cxx: c++\n\n name: \"${{matrix.cc}} ${{matrix.build}} - ${{matrix.os}} - ${{matrix.ssllib}}\"\n runs-on: ${{matrix.os}}\n env:\n CFLAGS: ${{ matrix.cflags }}\n LDFLAGS: ${{ matrix.ldflags }}\n CC: ${{matrix.cc}}\n CXX: ${{matrix.cxx}}\n UBSAN_OPTIONS: print_stacktrace=1\n AWS_LC_INSTALL: /opt/aws-lc\n\n steps:\n - name: Install dependencies\n run: sudo apt update && sudo apt install -y gcc golang make liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils python3-jinja2 python3-jsonschema libtool automake autoconf pkg-config libcap-ng-dev libnl-genl-3-dev\n - name: \"AWS-LC: checkout\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n path: aws-lc\n # versioning=semver-coerced\n repository: aws/aws-lc\n ref: v1.70.0\n - uses: lukka/get-cmake@f176ccd3f28bda569c43aae4894f06b2435a3375 # v4.2.3\n - name: \"AWS-LC: build\"\n run: |\n mkdir build\n cd build\n cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=\"${{ env.AWS_LC_INSTALL }}\" -DBUILD_SHARED_LIBS=1 ../\n ninja install\n working-directory: aws-lc\n - name: Checkout OpenVPN\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n - name: autoconf\n run: autoreconf -fvi\n - name: configure with AWS-LC\n run: |\n OPENSSL_CFLAGS=\"-I${{ env.AWS_LC_INSTALL }}/include\" \\\n OPENSSL_LIBS=\"-L${{ env.AWS_LC_INSTALL }}/lib -lssl -lcrypto\" \\\n LDFLAGS=\"-Wl,-rpath=${{ env.AWS_LC_INSTALL }}/lib\" \\\n ./configure --with-crypto-library=openssl\n - name: make all\n run: make -j3\n - name: Ensure the build uses AWS-LC\n run: |\n ./src/openvpn/openvpn --version\n ./src/openvpn/openvpn --version | grep -q \"library versions: AWS-LC\"\n - name: configure checks\n run: echo 'RUN_SUDO=\"sudo -E\"' >tests/t_server_null.rc\n - name: make check\n run: make -j3 check VERBOSE=1\n" }, { "path": ".github/workflows/coverity-scan.yml", "content": "name: coverity-scan\non:\n schedule:\n - cron: '0 20 * * *' # Daily at 20:00 UTC\n workflow_dispatch:\n\njobs:\n latest:\n # Running coverity requires the secrets.COVERITY_SCAN_TOKEN token\n # which is only available on the main repository\n if: github.repository_owner == 'OpenVPN'\n runs-on: ubuntu-24.04\n steps:\n - name: Check submission cache\n id: check_submit\n uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3\n with:\n path: |\n cov-int\n key: check-submit-${{ github.sha }}\n\n - name: Install dependencies\n if: steps.check_submit.outputs.cache-hit != 'true'\n run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf libssl-dev libpkcs11-helper1-dev softhsm2 gnutls-bin\n\n - name: Checkout OpenVPN\n if: steps.check_submit.outputs.cache-hit != 'true'\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Download Coverity Build Tool\n if: steps.check_submit.outputs.cache-hit != 'true'\n run: |\n wget -q https://scan.coverity.com/download/cxx/linux64 --post-data \"token=$TOKEN&project=OpenVPN%2Fopenvpn\" -O cov-analysis-linux64.tar.gz\n mkdir cov-analysis-linux64\n tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64\n env:\n TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}\n\n - name: autoconf\n if: steps.check_submit.outputs.cache-hit != 'true'\n run: autoreconf -fvi\n - name: configure\n if: steps.check_submit.outputs.cache-hit != 'true'\n run: ./configure --enable-pkcs11\n\n - name: Build with cov-build\n if: steps.check_submit.outputs.cache-hit != 'true'\n run: |\n PATH=`pwd`/cov-analysis-linux64/bin:$PATH\n cov-build --dir cov-int make\n\n - name: Submit the result to Coverity Scan\n if: steps.check_submit.outputs.cache-hit != 'true'\n run: |\n tar czvf openvpn.tgz cov-int\n curl --form token=$TOKEN \\\n --form email=$EMAIL \\\n --form file=@openvpn.tgz \\\n --form version=\"$GITHUB_SHA\" \\\n --form description=\"master\" \\\n https://scan.coverity.com/builds?project=OpenVPN%2Fopenvpn\n env:\n TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}\n EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}\n\n - name: Cache submission\n if: steps.check_submit.outputs.cache-hit != 'true'\n uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3\n with:\n path: |\n cov-int\n key: ${{ steps.check_submit.outputs.cache-primary-key }}\n" }, { "path": ".github/workflows/doxygen.yml", "content": "name: Deploy Doxygen documentation to Pages\non:\n push:\n branches: [\"master\"]\n workflow_dispatch:\nconcurrency:\n group: \"pages\"\n cancel-in-progress: false\njobs:\n build:\n runs-on: ubuntu-24.04\n if: ${{ github.repository_owner == 'openvpn' || github.event_name == 'workflow_dispatch' }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n path: openvpn\n\n - name: Install dependencies\n run: |\n sudo apt update\n sudo apt install -y --no-install-recommends \\\n build-essential doxygen graphviz \\\n liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf libssl-dev\n\n - name: Build Doxygen documentation\n id: build\n run: |\n cd openvpn\n autoreconf -f -i\n cd ..\n mkdir doxygen\n cd doxygen\n ../openvpn/configure\n make doxygen\n touch doc/doxygen/html/.nojekyll\n - name: Upload static files as artifact\n id: deployment\n uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0\n with:\n path: doxygen/doc/doxygen/html/\n\n deploy:\n needs: build\n permissions:\n pages: write # to deploy to Pages\n id-token: write # to verify the deployment originates from an appropriate source\n environment:\n name: github-pages\n url: ${{ steps.deployment.outputs.page_url }}\n runs-on: ubuntu-24.04\n steps:\n - name: Deploy to GitHub Pages\n id: deployment\n uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5\n" }, { "path": ".gitignore", "content": "*.[oa]\n*.l[oa]\n*.dll\n*.exe\n*.exe.*\n*.obj\n*.pyc\n*.so\n*~\n*.idb\n*.suo\n*.ncb\n*.log\nout\n.vs\n.deps\n.libs\nMakefile\nMakefile.in\naclocal.m4\nautodefs.h\nautom4te.cache\nconfig.guess\nconfig.h\nconfig.h.in\nconfig.log\nconfig.status\nconfig.sub\nconfigure\nconfigure.h\ndepcomp\nstamp-h1\ninstall-sh\nmissing\nltmain.sh\nlibtool\nm4/libtool.m4\nm4/ltoptions.m4\nm4/ltsugar.m4\nm4/ltversion.m4\nm4/lt~obsolete.m4\n\nbuild\ndoc/openvpn-examples.5\ndoc/openvpn-examples.5.html\ndoc/openvpn.8\ndoc/openvpn.8.html\n/doc/doxygen/html/\n/doc/doxygen/latex/\n/doc/doxygen/openvpn.doxyfile\ndistro/systemd/*.service\ndistro/dns-scripts/dns-updown\nsample/sample-keys/sample-ca/\nvendor/cmocka_build\nvendor/dist\n\ntests/t_client.sh\ntests/t_client-*-20??????-??????/\ntests/t_server_null.rc\nt_client.rc\nt_client_ips.rc\ntests/unit_tests/**/*_testdriver\n\nsrc/openvpn/openvpn\ninclude/openvpn-plugin.h\nconfig-version.h\nnbproject\ntest-driver\ncompile\nstamp-h2\n" }, { "path": ".mailmap", "content": "Adriaan de Jong \nDavid Sommerseth \nGert Doering \nGert Doering \nGert Doering \nGert Doering \nJames Yonan \nJan Just Keijser \nJuanJo Ciarlante \nKarl O. Pinc \nRobert Fischer \nSamuli Seppänen \nSeth Mos \n" }, { "path": ".pre-commit-config.yaml", "content": "repos:\n - repo: https://github.com/pre-commit/mirrors-clang-format\n rev: 'v21.1.8'\n hooks:\n - id: clang-format\n files: \\.[ch]$\n # preserve upstream formatting\n exclude: ^(src/compat/compat-lz4\\.[ch]|src/openvpn/ovpn_dco_(linux|win)\\.h)$\n" }, { "path": ".svncommitters", "content": "james = James Yonan \n" }, { "path": "AUTHORS", "content": "James Yonan \n" }, { "path": "CMakeLists.txt", "content": "cmake_minimum_required(VERSION 3.14)\nset(CMAKE_CONFIGURATION_TYPES \"Release;Debug;ASAN\")\nproject(openvpn)\n\n# This CMake file implements building OpenVPN with CMAKE\n#\n# Note that this is *NOT* the official way to build openvpn on anything\n# other than Windows/mingw despite working on other platforms too. You will need\n# to add -DUNSUPPORTED_BUILDS=true to build on non Windows platforms.\n#\n# This cmake also makes a few assertions like lzo, lz4 being used\n# and OpenSSL having version 1.1.1+ and generally does not offer the same\n# configurability like autoconf\n\nfind_package(PkgConfig REQUIRED)\ninclude(CheckSymbolExists)\ninclude(CheckIncludeFiles)\ninclude(CheckCCompilerFlag)\ninclude(CheckLinkerFlag OPTIONAL)\ninclude(CheckTypeSize)\ninclude(CheckStructHasMember)\ninclude(CTest)\n\noption(UNSUPPORTED_BUILDS \"Allow unsupported builds\" OFF)\n\nif (NOT WIN32 AND NOT ${UNSUPPORTED_BUILDS})\n message(FATAL_ERROR \"Note: on Unix platform the official and supported build method is using autoconfig. CMake based build should be only used for Windows and internal testing/development.\")\nendif()\n\nif (EXISTS \"${CMAKE_CURRENT_SOURCE_DIR}/config.h\")\n message(FATAL_ERROR \"The top level source directory has a config.h file. Note that you can't mix in-tree autoconfig builds with out-of-tree cmake builds.\")\nendif ()\n\noption(MBED \"BUILD with mbed\" OFF)\nset(MBED_INCLUDE_PATH \"\" CACHE STRING \"Path to mbed TLS include directory\")\nset(MBED_LIBRARY_PATH \"\" CACHE STRING \"Path to mbed library directory\")\noption(WOLFSSL \"BUILD with wolfSSL\" OFF)\noption(ENABLE_LZ4 \"BUILD with lz4\" ON)\noption(ENABLE_LZO \"BUILD with lzo\" ON)\noption(ENABLE_PKCS11 \"BUILD with pkcs11-helper\" ON)\noption(USE_WERROR \"Treat compiler warnings as errors (-Werror)\" ON)\noption(FAKE_ANDROID \"Target Android but do not use actual cross compile/Android cmake to build for simple compile checks on Linux\")\n\noption(ENABLE_DNS_UPDOWN_BY_DEFAULT \"Run --dns-updown hook by default\" ON)\nset(DNS_UPDOWN_PATH \"${CMAKE_INSTALL_PREFIX}/libexec/openvpn/dns-updown\" CACHE STRING \"Default location for the DNS up/down script\")\n\nset(PLUGIN_DIR \"${CMAKE_INSTALL_PREFIX}/lib/openvpn/plugins\" CACHE FILEPATH \"Location of the plugin directory\")\n\n# Create machine readable compile commands\noption(ENABLE_COMPILE_COMMANDS \"Generate compile_commands.json and a symlink for clangd to find it\" OFF)\nif (ENABLE_COMPILE_COMMANDS)\n if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/build AND NOT IS_SYMLINK ${CMAKE_CURRENT_SOURCE_DIR}/build)\n message(FATAL_ERROR \"The top level source directory contains a 'build' file or directory. Please remove or rename it. CMake creates a symlink with that name during build.\")\n endif()\n set(CMAKE_EXPORT_COMPILE_COMMANDS 1)\n add_custom_target(\n symlink-build-dir ALL\n ${CMAKE_COMMAND} -E create_symlink ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/build\n )\nendif ()\n\n# AddressSanitize - use CXX=clang++ CC=clang cmake -DCMAKE_BUILD_TYPE=asan to build with ASAN\nset(CMAKE_C_FLAGS_ASAN\n \"-fsanitize=address,undefined -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1\"\n CACHE STRING \"Flags used by the C compiler during AddressSanitizer builds.\"\n FORCE)\nset(CMAKE_CXX_FLAGS_ASAN\n \"-fsanitize=address,undefined -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1\"\n CACHE STRING \"Flags used by the C++ compiler during AddressSanitizer builds.\"\n FORCE)\n\nfunction(check_and_add_compiler_flag flag variable)\n check_c_compiler_flag(${flag} ${variable})\n if (${variable})\n add_compile_options(${flag})\n endif()\nendfunction()\n\nif (MSVC)\n add_compile_definitions(\n _CRT_SECURE_NO_WARNINGS\n _CRT_NONSTDC_NO_DEPRECATE\n _WINSOCK_DEPRECATED_NO_WARNINGS\n )\n if (USE_WERROR)\n add_compile_options(/WX)\n endif ()\n # C4018: signed/unsigned mismatch\n # C4244: conversion from 'type1' to 'type2', possible loss of data\n # C4267: conversion from 'size_t' to 'type', possible loss of data\n add_compile_options(\n /MP\n /W3 /wd4018 /wd4267 /wd4244\n /sdl\n /Qspectre\n /guard:cf\n /FC\n /ZH:SHA_256\n \"$<$:/GL>\"\n \"$<$:/Oi>\"\n \"$<$:/Gy>\"\n \"$<$:/Zi>\"\n )\n add_link_options(\n /Brepro\n \"$<$:/LTCG:incremental>\"\n \"$<$:/DEBUG:FULL>\"\n \"$<$:/OPT:REF>\"\n \"$<$:/OPT:ICF>\"\n )\n if (${CMAKE_GENERATOR_PLATFORM} STREQUAL \"x64\" OR ${CMAKE_GENERATOR_PLATFORM} STREQUAL \"x86\")\n add_link_options(\"$<$:/CETCOMPAT>\")\n endif()\nelse ()\n add_compile_options(-Wall -Wuninitialized)\n check_and_add_compiler_flag(-Wno-stringop-truncation NoStringOpTruncation)\n check_and_add_compiler_flag(-Wstrict-prototypes StrictPrototypes)\n check_and_add_compiler_flag(-Wold-style-definition OldStyleDefinition)\n add_compile_options(-Wconversion -Wno-sign-conversion)\n add_compile_options(-Wextra -Wno-unused-parameter)\n # clang doesn't have the different levels but also doesn't include it in -Wextra\n check_and_add_compiler_flag(-Wimplicit-fallthrough=2 GCCImplicitFallthrough)\n if (WIN32)\n # Not sure how to deal with GetProcAddress\n add_compile_options(-Wno-cast-function-type)\n endif ()\n if (USE_WERROR)\n add_compile_options(-Werror)\n endif ()\nendif ()\n\nfind_package(Python3 REQUIRED COMPONENTS Interpreter)\nexecute_process(\n COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/parse-version.m4.py ${CMAKE_CURRENT_SOURCE_DIR}/version.m4\n WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}\n )\ninclude(${CMAKE_CURRENT_BINARY_DIR}/version.cmake)\n\nset(OPENVPN_VERSION_MAJOR ${PRODUCT_VERSION_MAJOR})\nset(OPENVPN_VERSION_MINOR ${PRODUCT_VERSION_MINOR})\nset(OPENVPN_VERSION_PATCH ${PRODUCT_VERSION_PATCH})\nset(OPENVPN_VERSION_RESOURCE ${PRODUCT_VERSION_RESOURCE})\n\nset(CMAKE_C_STANDARD 11)\n\n# Set the various defines for config.h.cmake.in\nif (${CMAKE_SYSTEM_NAME} STREQUAL \"Android\" OR ${FAKE_ANDROID})\n set(TARGET_ANDROID YES)\n set(ENABLE_ASYNC_PUSH YES)\n set(ENABLE_SITNL YES)\n # Wacky workaround as OpenSSL package detection is otherwise broken (https://stackoverflow.com/questions/45958214/android-cmake-could-not-find-openssl)\n list(APPEND CMAKE_FIND_ROOT_PATH ${OPENSSL_ROOT_DIR})\nelseif (${CMAKE_SYSTEM_NAME} STREQUAL \"Linux\")\n set(TARGET_LINUX YES)\n set(ENABLE_ASYNC_PUSH YES)\n set(ENABLE_LINUXDCO YES)\n set(ENABLE_SITNL YES)\n set(ENABLE_DCO YES)\nelseif (${CMAKE_SYSTEM_NAME} STREQUAL \"FreeBSD\")\n set(TARGET_FREEBSD YES)\n set(ENABLE_DCO YES)\n link_libraries(-lnv)\nelseif (${CMAKE_SYSTEM_NAME} STREQUAL \"OpenBSD\")\n set(TARGET_OPENBSD YES)\nelseif (${CMAKE_SYSTEM_NAME} STREQUAL \"SunOS\")\n set(TARGET_SOLARIS YES)\n set(HAVE_SYS_SOCKIO_H 1)\n link_libraries(-lnsl -lsocket -lresolv)\nelseif (WIN32)\n set(ENABLE_DCO YES)\nelseif (APPLE)\n set(TARGET_DARWIN YES)\nelse()\n message(FATAL_ERROR \"Unknown system name: \\\"${CMAKE_SYSTEM_NAME}\\\"\")\nendif ()\n\nif (UNIX)\n set(PATH_SEPARATOR /)\n set(ENABLE_PORT_SHARE YES)\n set(HAVE_SA_FAMILY_T YES)\nelseif (WIN32)\n set(PATH_SEPARATOR \\\\\\\\)\n set(TARGET_WIN32 YES)\nendif ()\n\ncheck_include_files(unistd.h HAVE_UNISTD_H)\nif (HAVE_UNISTD_H)\n check_symbol_exists(chroot unistd.h HAVE_CHROOT)\n check_symbol_exists(chdir unistd.h HAVE_CHDIR)\n check_symbol_exists(dup unistd.h HAVE_DUP)\n check_symbol_exists(dup2 unistd.h HAVE_DUP2)\n check_symbol_exists(fork unistd.h HAVE_FORK)\n check_symbol_exists(execve unistd.h HAVE_EXECVE)\n check_symbol_exists(ftruncate unistd.h HAVE_FTRUNCATE)\n check_symbol_exists(nice unistd.h HAVE_NICE)\n check_symbol_exists(setgid unistd.h HAVE_SETGID)\n check_symbol_exists(setuid unistd.h HAVE_SETUID)\n check_symbol_exists(setsid unistd.h HAVE_SETSID)\n check_symbol_exists(daemon \"unistd.h;stdlib.h\" HAVE_DAEMON)\n check_symbol_exists(getpeereid \"unistd.h;sys/socket.h\" HAVE_GETPEEREID)\nendif()\n\ncheck_include_files(grp.h HAVE_GRP_H)\nif (HAVE_GRP_H)\n check_symbol_exists(getgrnam grp.h HAVE_GETGRNAM)\nendif()\ncheck_include_files(libgen.h HAVE_LIBGEN_H)\nif (HAVE_LIBGEN_H)\n check_symbol_exists(basename libgen.h HAVE_BASENAME)\n check_symbol_exists(dirname libgen.h HAVE_DIRNAME)\nendif()\ncheck_include_files(pwd.h HAVE_PWD_H)\nif (HAVE_PWD_H)\n check_symbol_exists(getpwnam pwd.h HAVE_GETPWNAM)\nendif()\ncheck_include_files(sys/epoll.h HAVE_SYS_EPOLL_H)\nif (HAVE_SYS_EPOLL_H)\n check_symbol_exists(epoll_create sys/epoll.h HAVE_EPOLL_CREATE)\nendif()\ncheck_include_files(syslog.h HAVE_SYSLOG_H)\nif (HAVE_SYSLOG_H)\n check_symbol_exists(openlog syslog.h HAVE_OPENLOG)\n check_symbol_exists(syslog syslog.h HAVE_SYSLOG)\nendif()\ncheck_include_files(sys/mman.h HAVE_SYS_MMAN_H)\nif (HAVE_SYS_MMAN_H)\n check_symbol_exists(mlockall sys/mman.h HAVE_MLOCKALL)\nendif()\ncheck_include_files(sys/socket.h HAVE_SYS_SOCKET_H)\nif (HAVE_SYS_SOCKET_H)\n check_symbol_exists(sendmsg sys/socket.h HAVE_SENDMSG)\n check_symbol_exists(recvmsg sys/socket.h HAVE_RECVMSG)\n check_symbol_exists(getsockname sys/socket.h HAVE_GETSOCKNAME)\n # Checking for existence of structs with check_symbol_exists does not work,\n # so we use check_struct_hash_member with a member instead\n check_struct_has_member(\"struct cmsghdr\" cmsg_len sys/socket.h HAVE_CMSGHDR)\nendif()\ncheck_include_files(sys/time.h HAVE_SYS_TIME_H)\nif (HAVE_SYS_TIME_H)\n check_symbol_exists(gettimeofday sys/time.h HAVE_GETTIMEOFDAY)\n check_symbol_exists(getrlimit \"sys/time.h;sys/resource.h\" HAVE_GETRLIMIT)\nendif()\n\ncheck_symbol_exists(chsize io.h HAVE_CHSIZE)\ncheck_symbol_exists(getrlimit sys/resource.h HAVE_GETRLIMIT)\ncheck_symbol_exists(strsep string.h HAVE_STRSEP)\n\n# Some OS (e.g. FreeBSD) need some basic headers to allow\n# including network headers\nset(NETEXTRA sys/types.h)\ncheck_include_files(\"${NETEXTRA};netinet/in.h\" HAVE_NETINET_IN_H)\nif (HAVE_NETINET_IN_H)\n list(APPEND NETEXTRA netinet/in.h)\nendif ()\n\ncheck_include_files(arpa/inet.h HAVE_ARPA_INET_H)\ncheck_include_files(dlfcn.h HAVE_DLFCN_H)\ncheck_include_files(dmalloc.h HAVE_DMALLOC_H)\ncheck_include_files(fcntl.h HAVE_FCNTL_H)\ncheck_include_files(err.h HAVE_ERR_H)\ncheck_include_files(netdb.h HAVE_NETDB_H)\ncheck_include_files(\"${NETEXTRA};netinet/in6.h\" HAVE_NETINET_IN_H)\ncheck_include_files(net/if.h HAVE_NET_IF_H)\ncheck_include_files(\"${NETEXTRA};net/if_tun.h\" HAVE_NET_IF_TUN_H)\ncheck_include_files(poll.h HAVE_POLL_H)\ncheck_include_files(\"${NETEXTRA};resolv.h\" HAVE_RESOLV_H)\ncheck_include_files(sys/ioctl.h HAVE_SYS_IOCTL_H)\ncheck_include_files(sys/inotify.h HAVE_SYS_INOTIFY_H)\ncheck_include_files(\"${NETEXTRA};sys/uio.h\" HAVE_SYS_UIO_H)\ncheck_include_files(sys/un.h HAVE_SYS_UN_H)\ncheck_include_files(sys/wait.h HAVE_SYS_WAIT_H)\n\ncheck_include_files(\"${NETEXTRA};netinet/ip.h\" HAVE_NETINET_IP_H)\nif (HAVE_NETINET_IP_H)\n set(CMAKE_EXTRA_INCLUDE_FILES netinet/ip.h)\n check_type_size(\"struct in_pktinfo\" IN_PKTINFO)\n check_struct_has_member(\"struct in_pktinfo\" ipi_spec_dst netinet/ip.h HAVE_IPI_SPEC_DST)\n check_type_size(\"struct msghdr\" MSGHDR)\n set(CMAKE_EXTRA_INCLUDE_FILES)\nendif()\n\nfind_program(IFCONFIG_PATH ifconfig)\nfind_program(IPROUTE_PATH ip)\nfind_program(ROUTE_PATH route)\n\nif (${ENABLE_LZ4})\n pkg_search_module(liblz4 liblz4 REQUIRED IMPORTED_TARGET)\nendif ()\n\nif (${ENABLE_LZO})\n pkg_search_module(lzo2 lzo2 REQUIRED IMPORTED_TARGET)\nendif ()\n\nif (${ENABLE_PKCS11})\n pkg_search_module(pkcs11-helper libpkcs11-helper-1 REQUIRED IMPORTED_TARGET)\nendif ()\n\nfunction(check_mbed_configuration)\n if (NOT (MBED_INCLUDE_PATH STREQUAL \"\") )\n set(CMAKE_REQUIRED_INCLUDES ${MBED_INCLUDE_PATH})\n endif ()\n if (NOT (MBED_LIBRARY_PATH STREQUAL \"\"))\n set(CMAKE_REQUIRED_LINK_OPTIONS \"-L${MBED_LIBRARY_PATH}\")\n endif ()\n set(CMAKE_REQUIRED_LIBRARIES \"mbedtls;mbedx509;mbedcrypto\")\n check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H)\nendfunction()\n\nif (${MBED})\n check_mbed_configuration()\nendif()\n\nfunction(add_library_deps target)\n if (${MBED})\n if (NOT (MBED_INCLUDE_PATH STREQUAL \"\") )\n target_include_directories(${target} PRIVATE ${MBED_INCLUDE_PATH})\n endif ()\n if(NOT (MBED_LIBRARY_PATH STREQUAL \"\"))\n target_link_directories(${target} PRIVATE ${MBED_LIBRARY_PATH})\n endif ()\n\n target_link_libraries(${target} PRIVATE -lmbedtls -lmbedx509 -lmbedcrypto)\n elseif (${WOLFSSL})\n pkg_search_module(wolfssl wolfssl REQUIRED)\n target_link_libraries(${target} PUBLIC ${wolfssl_LINK_LIBRARIES})\n target_include_directories(${target} PRIVATE ${wolfssl_INCLUDE_DIRS}/wolfssl)\n else ()\n find_package(OpenSSL REQUIRED)\n target_link_libraries(${target} PUBLIC OpenSSL::SSL OpenSSL::Crypto)\n if (WIN32)\n target_link_libraries(${target} PUBLIC\n ws2_32.lib crypt32.lib fwpuclnt.lib iphlpapi.lib\n wininet.lib setupapi.lib rpcrt4.lib wtsapi32.lib ncrypt.lib bcrypt.lib)\n endif ()\n\n endif ()\n\n if (MINGW)\n target_compile_definitions(${target} PRIVATE\n WIN32_LEAN_AND_MEAN\n NTDDI_VERSION=NTDDI_VISTA _WIN32_WINNT=_WIN32_WINNT_VISTA\n )\n endif()\n\n # optional dependencies\n target_link_libraries(${target} PUBLIC\n $\n $\n $\n )\n\n if (${CMAKE_SYSTEM_NAME} STREQUAL \"Linux\")\n pkg_search_module(libcapng REQUIRED libcap-ng IMPORTED_TARGET)\n pkg_search_module(libnl REQUIRED libnl-genl-3.0 IMPORTED_TARGET)\n\n target_link_libraries(${target} PUBLIC PkgConfig::libcapng PkgConfig::libnl)\n endif ()\n\nendfunction()\n\nif (${MBED})\n set(ENABLE_CRYPTO_MBEDTLS YES)\nelseif (${WOLFSSL})\n set(ENABLE_CRYPTO_OPENSSL YES)\n set(ENABLE_CRYPTO_WOLFSSL YES)\nelse ()\n set(ENABLE_CRYPTO_OPENSSL YES)\nendif ()\n\ninclude_directories(${CMAKE_CURRENT_SOURCE_DIR} src/compat include)\n\nadd_custom_command(\n OUTPUT always_rebuild config-version.h\n COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/git-version.py\n )\nset(HAVE_CONFIG_VERSION_H YES)\n\nif (BUILD_TESTING)\n find_package(cmocka CONFIG)\n if (TARGET cmocka::cmocka)\n set(CMOCKA_LIBRARIES cmocka::cmocka)\n else ()\n pkg_search_module(cmocka cmocka REQUIRED IMPORTED_TARGET)\n set(CMOCKA_LIBRARIES PkgConfig::cmocka)\n endif ()\n set(CMAKE_REQUIRED_LIBRARIES ${CMOCKA_LIBRARIES})\n check_include_files(cmocka_version.h HAVE_CMOCKA_VERSION_H)\nendif ()\n\nconfigure_file(config.h.cmake.in config.h)\nconfigure_file(include/openvpn-plugin.h.in openvpn-plugin.h)\n# TODO we should remove the need for this, and always include config.h\nadd_compile_definitions(HAVE_CONFIG_H)\n\ninclude_directories(${CMAKE_CURRENT_BINARY_DIR})\n\nadd_subdirectory(doc)\nadd_subdirectory(src/openvpnmsica)\nadd_subdirectory(src/openvpnserv)\nadd_subdirectory(src/tapctl)\n\nset(SOURCE_FILES\n ${CMAKE_CURRENT_BINARY_DIR}/config.h\n ${CMAKE_CURRENT_BINARY_DIR}/config-version.h\n ${CMAKE_CURRENT_BINARY_DIR}/openvpn-plugin.h\n\n src/compat/compat-basename.c\n src/compat/compat-daemon.c\n src/compat/compat-dirname.c\n src/compat/compat-gettimeofday.c\n src/compat/compat-strsep.c\n src/openvpn/argv.c\n src/openvpn/argv.h\n src/openvpn/base64.c\n src/openvpn/base64.h\n src/openvpn/basic.h\n src/openvpn/buffer.c\n src/openvpn/buffer.h\n src/openvpn/circ_list.h\n src/openvpn/clinat.c\n src/openvpn/clinat.h\n src/openvpn/common.h\n src/openvpn/comp-lz4.c\n src/openvpn/comp-lz4.h\n src/openvpn/comp.c\n src/openvpn/comp.h\n src/openvpn/compstub.c\n src/openvpn/console.c\n src/openvpn/console_builtin.c\n src/openvpn/console.h\n src/openvpn/crypto.c\n src/openvpn/crypto.h\n src/openvpn/crypto_backend.h\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto_epoch.h\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto_openssl.h\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_mbedtls.h\n src/openvpn/cryptoapi.c\n src/openvpn/cryptoapi.h\n src/openvpn/dco.c\n src/openvpn/dco.h\n src/openvpn/dco_win.c\n src/openvpn/dco_win.h\n src/openvpn/dco_linux.c\n src/openvpn/dco_linux.h\n src/openvpn/dco_freebsd.c\n src/openvpn/dco_freebsd.h\n src/openvpn/dhcp.c\n src/openvpn/dhcp.h\n src/openvpn/dns.c\n src/openvpn/dns.h\n src/openvpn/errlevel.h\n src/openvpn/env_set.c\n src/openvpn/env_set.h\n src/openvpn/error.c\n src/openvpn/error.h\n src/openvpn/event.c\n src/openvpn/event.h\n src/openvpn/fdmisc.c\n src/openvpn/fdmisc.h\n src/openvpn/forward.c\n src/openvpn/forward.h\n src/openvpn/fragment.c\n src/openvpn/fragment.h\n src/openvpn/gremlin.c\n src/openvpn/gremlin.h\n src/openvpn/helper.c\n src/openvpn/helper.h\n src/openvpn/httpdigest.c\n src/openvpn/httpdigest.h\n src/openvpn/init.c\n src/openvpn/init.h\n src/openvpn/integer.h\n src/openvpn/interval.c\n src/openvpn/interval.h\n src/openvpn/list.c\n src/openvpn/list.h\n src/openvpn/lladdr.c\n src/openvpn/lladdr.h\n src/openvpn/lzo.c\n src/openvpn/lzo.h\n src/openvpn/manage.c\n src/openvpn/manage.h\n src/openvpn/mbuf.c\n src/openvpn/mbuf.h\n src/openvpn/memdbg.h\n src/openvpn/misc.c\n src/openvpn/misc.h\n src/openvpn/mroute.c\n src/openvpn/mroute.h\n src/openvpn/mss.c\n src/openvpn/mss.h\n src/openvpn/mtcp.c\n src/openvpn/mtcp.h\n src/openvpn/mtu.c\n src/openvpn/mtu.h\n src/openvpn/mudp.c\n src/openvpn/mudp.h\n src/openvpn/multi.c\n src/openvpn/multi.h\n src/openvpn/multi_io.h\n src/openvpn/multi_io.c\n src/openvpn/occ.c\n src/openvpn/occ.h\n src/openvpn/openvpn.c\n src/openvpn/openvpn.h\n src/openvpn/openvpn_win32_resources.rc\n src/openvpn/options.c\n src/openvpn/options.h\n src/openvpn/options_util.c\n src/openvpn/options_util.h\n src/openvpn/options_parse.c\n src/openvpn/otime.c\n src/openvpn/otime.h\n src/openvpn/ovpn_dco_win.h\n src/openvpn/packet_id.c\n src/openvpn/packet_id.h\n src/openvpn/ping.c\n src/openvpn/ping.h\n src/openvpn/pkcs11.c\n src/openvpn/pkcs11.h\n src/openvpn/pkcs11_backend.h\n src/openvpn/pkcs11_openssl.c\n src/openvpn/pkcs11_mbedtls.c\n src/openvpn/platform.c\n src/openvpn/platform.h\n src/openvpn/plugin.c\n src/openvpn/plugin.h\n src/openvpn/pool.c\n src/openvpn/pool.h\n src/openvpn/proto.c\n src/openvpn/proto.h\n src/openvpn/proxy.c\n src/openvpn/proxy.h\n src/openvpn/ps.c\n src/openvpn/ps.h\n src/openvpn/push.c\n src/openvpn/push_util.c\n src/openvpn/push.h\n src/openvpn/pushlist.h\n src/openvpn/reflect_filter.c\n src/openvpn/reflect_filter.h\n src/openvpn/reliable.c\n src/openvpn/reliable.h\n src/openvpn/route.c\n src/openvpn/route.h\n src/openvpn/run_command.c\n src/openvpn/run_command.h\n src/openvpn/schedule.c\n src/openvpn/schedule.h\n src/openvpn/session_id.c\n src/openvpn/session_id.h\n src/openvpn/shaper.c\n src/openvpn/shaper.h\n src/openvpn/sig.c\n src/openvpn/sig.h\n src/openvpn/socket.c\n src/openvpn/socket.h\n src/openvpn/socket_util.c\n src/openvpn/socket_util.h\n src/openvpn/socks.c\n src/openvpn/socks.h\n src/openvpn/ssl.c\n src/openvpn/ssl.h\n src/openvpn/ssl_backend.h\n src/openvpn/ssl_common.h\n src/openvpn/ssl_openssl.c\n src/openvpn/ssl_openssl.h\n src/openvpn/ssl_mbedtls.c\n src/openvpn/ssl_mbedtls.h\n src/openvpn/ssl_verify.c\n src/openvpn/ssl_verify.h\n src/openvpn/ssl_verify_backend.h\n src/openvpn/ssl_verify_openssl.c\n src/openvpn/ssl_verify_openssl.h\n src/openvpn/ssl_verify_mbedtls.c\n src/openvpn/ssl_verify_mbedtls.h\n src/openvpn/status.c\n src/openvpn/status.h\n src/openvpn/syshead.h\n src/openvpn/tls_crypt.c\n src/openvpn/tun.c\n src/openvpn/tun.h\n src/openvpn/tun_afunix.c\n src/openvpn/tun_afunix.h\n src/openvpn/networking_sitnl.c\n src/openvpn/networking_freebsd.c\n src/openvpn/auth_token.c\n src/openvpn/auth_token.h\n src/openvpn/ssl_ncp.c\n src/openvpn/ssl_ncp.h\n src/openvpn/ssl_pkt.c\n src/openvpn/ssl_pkt.h\n src/openvpn/ssl_util.c\n src/openvpn/ssl_util.h\n src/openvpn/vlan.c\n src/openvpn/vlan.h\n src/openvpn/wfp_block.c\n src/openvpn/wfp_block.h\n src/openvpn/win32.c\n src/openvpn/win32-util.c\n src/openvpn/win32.h\n src/openvpn/win32-util.h\n src/openvpn/xkey_helper.c\n src/openvpn/xkey_provider.c\n )\n\nadd_executable(openvpn ${SOURCE_FILES})\n\nadd_library_deps(openvpn)\n\ntarget_compile_options(openvpn PRIVATE -DDEFAULT_DNS_UPDOWN=\\\"${DNS_UPDOWN_PATH}\\\")\n\nif(MINGW)\n target_compile_options(openvpn PRIVATE -municode -UUNICODE)\n target_link_options(openvpn PRIVATE -municode)\nendif()\n\nif (MSVC)\n # we have our own manifest\n target_link_options(openvpn PRIVATE /MANIFEST:NO)\nendif()\n\nif (${CMAKE_SYSTEM_NAME} STREQUAL \"Linux\")\n target_link_libraries(openvpn PUBLIC -ldl)\nendif ()\n\nif (NOT WIN32)\n target_compile_options(openvpn PRIVATE -DPLUGIN_LIBDIR=\\\"${PLUGIN_DIR}\\\")\n\n find_library(resolv resolv)\n # some platform like BSDs already include resolver functionality in the libc\n # and do not have an extra resolv library\n if (${resolv} OR APPLE)\n set(RESOLV_LIBRARIES resolv)\n target_link_libraries(openvpn PUBLIC ${RESOLV_LIBRARIES})\n endif ()\nendif ()\n\noption(UT_ALLOW_BIG_ALLOC \"Allow unit-tests to use > 1 GB of memory\" ON)\n\nif (BUILD_TESTING)\n set(unit_tests\n \"test_argv\"\n \"test_auth_token\"\n \"test_buffer\"\n \"test_crypto\"\n \"test_dhcp\"\n \"test_mbuf\"\n \"test_misc\"\n \"test_ncp\"\n \"test_options_parse\"\n \"test_packet_id\"\n \"test_pkt\"\n \"test_provider\"\n \"test_socket\"\n \"test_ssl\"\n \"test_user_pass\"\n \"test_push_update_msg\"\n )\n\n if (WIN32)\n list(APPEND unit_tests\n \"test_cryptoapi\"\n )\n endif ()\n\n # MSVC and Apple's LLVM ld do not support --wrap\n # This test requires cmake >= 3.18, so check if check_linker_flag is\n # available\n if (COMMAND check_linker_flag)\n check_linker_flag(C -Wl,--wrap=parse_line LD_SUPPORTS_WRAP)\n endif()\n\n # Clang-cl (which is also MSVC) is wrongly detected to support wrap\n if (NOT MSVC AND \"${LD_SUPPORTS_WRAP}\")\n list(APPEND unit_tests\n \"test_tls_crypt\"\n )\n endif ()\n\n # These tests work on only on Linux since they depend on special Linux features\n if (${CMAKE_SYSTEM_NAME} STREQUAL \"Linux\")\n list(APPEND unit_tests\n \"test_networking\"\n )\n endif ()\n\n if (NOT WIN32 AND ${ENABLE_PKCS11})\n set(_HAVE_SOFTHSM2 YES)\n find_program(P11TOOL p11tool)\n find_program(SOFTHSM2_UTIL softhsm2-util)\n find_library(SOFTHSM2_MODULE softhsm2 PATH_SUFFIXES softhsm)\n\n if (P11TOOL STREQUAL \"P11TOOL-NOTFOUND\")\n message(STATUS \"p11tool not found, pkcs11 UT disabled\")\n set(_HAVE_SOFTHSM2 NO)\n elseif (SOFTHSM2_UTIL STREQUAL \"SOFTHSM2_UTIL-NOTFOUND\")\n message(STATUS \"softhsm2-util not found, pkcs11 UT disabled\")\n set(_HAVE_SOFTHSM2 NO)\n elseif (SOFTHSM2_MODULE STREQUAL \"SOFTHSM2_MODULE-NOTFOUND\")\n message(STATUS \"softhsm2 module not found, pkcs11 UT disabled\")\n set(_HAVE_SOFTHSM2 NO)\n endif ()\n\n if (_HAVE_SOFTHSM2)\n message(VERBOSE \"pkcs11 UT enabled\")\n list(APPEND unit_tests\n \"test_pkcs11\"\n )\n endif ()\n endif ()\n\n foreach (test_name ${unit_tests})\n cmake_path(SET _UT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/tests/unit_tests/openvpn)\n # test_networking needs special environment\n if (NOT ${test_name} STREQUAL \"test_networking\")\n add_test(${test_name} ${test_name})\n # for compat with autotools make check\n set_tests_properties(${test_name} PROPERTIES\n ENVIRONMENT \"srcdir=${_UT_SOURCE_DIR};LSAN_OPTIONS=suppressions=${_UT_SOURCE_DIR}/input/leak_suppr.txt\")\n endif ()\n add_executable(${test_name}\n tests/unit_tests/openvpn/${test_name}.c\n tests/unit_tests/openvpn/mock_msg.c\n tests/unit_tests/openvpn/mock_msg.h\n src/openvpn/platform.c\n src/openvpn/win32-util.c\n src/compat/compat-gettimeofday.c\n )\n\n add_library_deps(${test_name})\n target_link_libraries(${test_name} PUBLIC ${CMOCKA_LIBRARIES})\n\n target_include_directories(${test_name} PRIVATE src/openvpn)\n\n # for compat with IDEs like Clion that ignore the tests properties\n # for the environment variable srcdir when running tests as fallback\n target_compile_definitions(${test_name} PRIVATE \"UNIT_TEST_SOURCEDIR=\\\"${_UT_SOURCE_DIR}\\\"\")\n if (UT_ALLOW_BIG_ALLOC)\n target_compile_definitions(${test_name} PRIVATE UNIT_TEST_ALLOW_BIG_ALLOC)\n endif ()\n\n if (NOT ${test_name} STREQUAL \"test_buffer\")\n target_sources(${test_name} PRIVATE\n src/openvpn/buffer.c\n )\n endif ()\n\n endforeach()\n\n target_sources(test_auth_token PRIVATE\n src/openvpn/base64.c\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n )\n\n target_sources(test_buffer PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n )\n\n target_sources(test_crypto PRIVATE\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n src/openvpn/mtu.c\n src/openvpn/mss.c\n )\n\n target_sources(test_ssl PRIVATE\n tests/unit_tests/openvpn/mock_management.c\n tests/unit_tests/openvpn/mock_ssl_dependencies.c\n tests/unit_tests/openvpn/mock_win32_execve.c\n src/openvpn/argv.c\n src/openvpn/base64.c\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto.c\n src/openvpn/cryptoapi.c\n src/openvpn/env_set.c\n src/openvpn/mss.c\n src/openvpn/mtu.c\n src/openvpn/options_util.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n src/openvpn/run_command.c\n src/openvpn/ssl_mbedtls.c\n src/openvpn/ssl_openssl.c\n src/openvpn/ssl_util.c\n src/openvpn/ssl_verify_mbedtls.c\n src/openvpn/ssl_verify_openssl.c\n src/openvpn/xkey_helper.c\n src/openvpn/xkey_provider.c\n )\n\n target_sources(test_mbuf PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n src/openvpn/buffer.c\n src/openvpn/mbuf.c\n )\n\n target_sources(test_misc PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n src/openvpn/options_util.c\n src/openvpn/ssl_util.c\n src/openvpn/list.c\n )\n\n target_sources(test_ncp PRIVATE\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n src/openvpn/ssl_util.c\n src/compat/compat-strsep.c\n )\n\n target_sources(test_options_parse PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n src/openvpn/options_parse.c\n src/openvpn/options_util.c\n )\n\n target_sources(test_packet_id PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n src/openvpn/reliable.c\n src/openvpn/session_id.c\n )\n\n target_sources(test_pkt PRIVATE\n tests/unit_tests/openvpn/mock_win32_execve.c\n src/openvpn/argv.c\n src/openvpn/base64.c\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto.c\n src/openvpn/env_set.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n src/openvpn/reliable.c\n src/openvpn/run_command.c\n src/openvpn/session_id.c\n src/openvpn/ssl_pkt.c\n src/openvpn/tls_crypt.c\n )\n\n target_sources(test_provider PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n src/openvpn/xkey_provider.c\n src/openvpn/xkey_helper.c\n src/openvpn/base64.c\n )\n\n target_link_libraries(test_socket PUBLIC ${RESOLV_LIBRARIES})\n target_sources(test_socket PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n tests/unit_tests/openvpn/mock_management.c\n tests/unit_tests/openvpn/mock_win32_execve.c\n src/openvpn/env_set.c\n src/openvpn/run_command.c\n src/openvpn/socket_util.c\n )\n\n target_sources(test_user_pass PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n tests/unit_tests/openvpn/mock_win32_execve.c\n src/openvpn/base64.c\n src/openvpn/console.c\n src/openvpn/env_set.c\n src/openvpn/run_command.c\n )\n\n target_sources(test_push_update_msg PRIVATE\n tests/unit_tests/openvpn/mock_msg.c\n tests/unit_tests/openvpn/mock_get_random.c\n src/openvpn/options_util.c\n src/openvpn/otime.c\n src/openvpn/list.c\n )\n\n target_sources(test_argv PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n src/openvpn/argv.c\n )\n\n if (TARGET test_cryptoapi)\n target_sources(test_cryptoapi PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n tests/unit_tests/openvpn/cert_data.h\n tests/unit_tests/openvpn/pkey_test_utils.c\n src/openvpn/xkey_provider.c\n src/openvpn/xkey_helper.c\n src/openvpn/base64.c\n )\n endif ()\n\n target_compile_definitions(test_dhcp PRIVATE DHCP_UNIT_TEST)\n target_sources(test_dhcp PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n )\n\n if (TARGET test_networking)\n target_link_options(test_networking PRIVATE -Wl,--wrap=parse_line)\n target_compile_options(test_networking PRIVATE -UNDEBUG)\n target_sources(test_networking PRIVATE\n src/openvpn/networking_sitnl.c\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto.c\n src/openvpn/crypto_epoch.c\n src/openvpn/fdmisc.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n )\n endif ()\n\n if (TARGET test_tls_crypt)\n target_link_options(test_tls_crypt PRIVATE -Wl,--wrap=parse_line)\n target_link_options(test_tls_crypt PRIVATE\n -Wl,--wrap=buffer_read_from_file\n -Wl,--wrap=buffer_write_file\n -Wl,--wrap=rand_bytes)\n target_sources(test_tls_crypt PRIVATE\n tests/unit_tests/openvpn/mock_win32_execve.c\n src/openvpn/argv.c\n src/openvpn/base64.c\n src/openvpn/crypto_epoch.c\n src/openvpn/crypto_mbedtls.c\n src/openvpn/crypto_openssl.c\n src/openvpn/crypto.c\n src/openvpn/env_set.c\n src/openvpn/otime.c\n src/openvpn/packet_id.c\n src/openvpn/run_command.c\n )\n endif ()\n\n if (TARGET test_pkcs11)\n target_compile_options(test_pkcs11 PRIVATE\n -DP11TOOL_PATH=\\\"${P11TOOL}\\\"\n -DSOFTHSM2_MODULE_PATH=\\\"${SOFTHSM2_MODULE}\\\"\n -DSOFTHSM2_UTIL_PATH=\\\"${SOFTHSM2_UTIL}\\\"\n )\n target_sources(test_pkcs11 PRIVATE\n tests/unit_tests/openvpn/mock_get_random.c\n tests/unit_tests/openvpn/pkey_test_utils.c\n src/openvpn/argv.c\n src/openvpn/base64.c\n src/openvpn/env_set.c\n src/openvpn/otime.c\n src/openvpn/pkcs11.c\n src/openvpn/pkcs11_openssl.c\n src/openvpn/run_command.c\n src/openvpn/xkey_helper.c\n src/openvpn/xkey_provider.c\n )\n endif ()\n\nendif (BUILD_TESTING)\n" }, { "path": "CMakePresets.json", "content": "{\n \"version\": 3,\n \"configurePresets\": [\n {\n \"name\": \"base\",\n \"hidden\": true,\n \"cacheVariables\": {\n \"CMAKE_TOOLCHAIN_FILE\": {\n \"value\": \"$env{VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake\",\n \"type\": \"FILEPATH\"\n },\n \"VCPKG_OVERLAY_TRIPLETS\": {\n \"value\": \"${sourceDir}/contrib/vcpkg-triplets\",\n \"type\": \"FILEPATH\"\n },\n \"VCPKG_OVERLAY_PORTS\": {\n \"value\": \"${sourceDir}/contrib/vcpkg-ports\",\n \"type\": \"FILEPATH\"\n }\n }\n },\n {\n \"name\": \"base-windows\",\n \"hidden\": true,\n \"binaryDir\": \"${sourceDir}/out/build/${presetName}\",\n \"generator\": \"Visual Studio 17 2022\",\n \"cacheVariables\": {\n \"VCPKG_MANIFEST_DIR\": \"${sourceDir}/contrib/vcpkg-manifests/windows\",\n \"VCPKG_HOST_TRIPLET\": \"x64-windows\"\n },\n \"vendor\": { \"microsoft.com/VisualStudioSettings/CMake/1.0\": { \"hostOS\": [ \"Windows\" ] } }\n },\n {\n \"name\": \"base-mingw\",\n \"hidden\": true,\n \"generator\": \"Ninja Multi-Config\",\n \"cacheVariables\": {\n \"CMAKE_SYSTEM_NAME\": {\n \"value\": \"Windows\",\n \"type\": \"STRING\"\n },\n \"VCPKG_MANIFEST_DIR\": \"${sourceDir}/contrib/vcpkg-manifests/mingw\"\n }\n },\n {\n \"name\": \"x64\",\n \"hidden\": true,\n \"architecture\": {\n \"value\": \"x64\",\n \"strategy\": \"set\"\n },\n \"cacheVariables\": {\n \"VCPKG_TARGET_TRIPLET\": \"x64-windows-ovpn\"\n }\n },\n {\n \"name\": \"x64-mingw\",\n \"hidden\": true,\n \"binaryDir\": \"out/build/mingw/x64\",\n \"cacheVariables\": {\n \"CMAKE_C_COMPILER\": {\n \"value\": \"x86_64-w64-mingw32-gcc\",\n \"type\": \"STRING\"\n },\n \"CMAKE_CXX_COMPILER\": {\n \"value\": \"x86_64-w64-mingw32-g++\",\n \"type\": \"STRING\"\n },\n \"VCPKG_TARGET_TRIPLET\": \"x64-mingw-ovpn\"\n }\n },\n {\n \"name\": \"arm64\",\n \"hidden\": true,\n \"architecture\": {\n \"value\": \"arm64\",\n \"strategy\": \"set\"\n },\n \"cacheVariables\": {\n \"VCPKG_TARGET_TRIPLET\": \"arm64-windows-ovpn\"\n }\n },\n {\n \"name\": \"x86\",\n \"hidden\": true,\n \"architecture\": {\n \"value\": \"Win32\",\n \"strategy\": \"set\"\n },\n \"cacheVariables\": {\n \"VCPKG_TARGET_TRIPLET\": \"x86-windows-ovpn\"\n }\n },\n {\n \"name\": \"i686-mingw\",\n \"hidden\": true,\n \"binaryDir\": \"out/build/mingw/x86\",\n \"cacheVariables\": {\n \"CMAKE_C_COMPILER\": {\n \"value\": \"i686-w64-mingw32-gcc\",\n \"type\": \"STRING\"\n },\n \"CMAKE_CXX_COMPILER\": {\n \"value\": \"i686-w64-mingw32-g++\",\n \"type\": \"STRING\"\n },\n \"VCPKG_TARGET_TRIPLET\": \"x86-mingw-ovpn\"\n }\n },\n {\n \"name\": \"debug\",\n \"hidden\": true,\n \"cacheVariables\": {\n \"CMAKE_BUILD_TYPE\": \"Debug\"\n }\n },\n {\n \"name\": \"release\",\n \"hidden\": true,\n \"cacheVariables\": {\n \"CMAKE_BUILD_TYPE\": \"Release\"\n }\n },\n {\n \"name\": \"clangtoolset\",\n \"toolset\": \"ClangCL\"\n },\n {\n \"name\": \"mingw-x64\",\n \"inherits\": [ \"base\", \"base-mingw\", \"x64-mingw\" ]\n },\n {\n \"name\": \"mingw-x86\",\n \"inherits\": [ \"base\", \"base-mingw\", \"i686-mingw\" ]\n },\n {\n \"name\": \"win-amd64-release\",\n \"inherits\": [ \"base\", \"base-windows\", \"x64\", \"release\" ]\n },\n {\n \"name\": \"win-amd64-clang-release\",\n \"inherits\": [ \"base\", \"base-windows\", \"clangtoolset\", \"x64\", \"release\" ]\n },\n {\n \"name\": \"win-arm64-release\",\n \"inherits\": [ \"base\", \"base-windows\", \"arm64\", \"release\" ]\n },\n {\n \"name\": \"win-x86-release\",\n \"inherits\": [ \"base\", \"base-windows\", \"x86\", \"release\" ]\n },\n {\n \"name\": \"win-x86-clang-release\",\n \"inherits\": [ \"base\", \"base-windows\", \"clangtoolset\", \"x86\", \"release\" ]\n },\n {\n \"name\": \"win-amd64-debug\",\n \"inherits\": [ \"base\", \"base-windows\", \"x64\", \"debug\" ]\n },\n {\n \"name\": \"win-amd64-clang-debug\",\n \"inherits\": [ \"base\", \"base-windows\", \"clangtoolset\", \"x64\", \"debug\" ]\n },\n {\n \"name\": \"win-arm64-debug\",\n \"inherits\": [ \"base\", \"base-windows\", \"arm64\", \"debug\" ]\n },\n {\n \"name\": \"win-x86-debug\",\n \"inherits\": [ \"base\", \"base-windows\", \"x86\", \"debug\" ]\n },\n {\n \"name\": \"win-x86-clang-debug\",\n \"inherits\": [ \"base\", \"base-windows\", \"clangtoolset\", \"x86\", \"debug\" ]\n },\n {\n \"name\": \"unix-native\",\n \"generator\": \"Ninja Multi-Config\",\n \"binaryDir\": \"out/build/unix\"\n }\n ],\n \"buildPresets\": [\n {\n \"name\": \"mingw-x64\",\n \"configurePreset\": \"mingw-x64\"\n },\n {\n \"name\": \"mingw-x86\",\n \"configurePreset\": \"mingw-x86\"\n },\n {\n \"name\": \"win-amd64-release\",\n \"configurePreset\": \"win-amd64-release\",\n \"configuration\": \"Release\"\n },\n {\n \"name\": \"win-amd64-clang-release\",\n \"configurePreset\": \"win-amd64-clang-release\",\n \"configuration\": \"Release\"\n },\n {\n \"name\": \"win-arm64-release\",\n \"configurePreset\": \"win-arm64-release\",\n \"configuration\": \"Release\"\n },\n {\n \"name\": \"win-x86-release\",\n \"configurePreset\": \"win-x86-release\",\n \"configuration\": \"Release\"\n },\n {\n \"name\": \"win-x86-clang-release\",\n \"configurePreset\": \"win-x86-clang-release\",\n \"configuration\": \"Release\"\n },\n {\n \"name\": \"win-amd64-debug\",\n \"configurePreset\": \"win-amd64-debug\",\n \"configuration\": \"Debug\"\n },\n {\n \"name\": \"win-amd64-clang-debug\",\n \"configurePreset\": \"win-amd64-clang-debug\",\n \"configuration\": \"Debug\"\n },\n {\n \"name\": \"win-arm64-debug\",\n \"configurePreset\": \"win-arm64-debug\",\n \"configuration\": \"Debug\"\n },\n {\n \"name\": \"win-x86-debug\",\n \"configurePreset\": \"win-x86-debug\",\n \"configuration\": \"Debug\"\n },\n {\n \"name\": \"win-x86-clang-debug\",\n \"configurePreset\": \"win-x86-clang-debug\",\n \"configuration\": \"Debug\"\n },\n {\n \"name\": \"unix-native\",\n \"configurePreset\": \"unix-native\"\n }\n ],\n \"testPresets\": [\n {\n \"name\": \"win-amd64-release\",\n \"configurePreset\": \"win-amd64-release\"\n },\n {\n \"name\": \"win-amd64-clang-release\",\n \"configurePreset\": \"win-amd64-clang-release\"\n },\n {\n \"name\": \"win-x86-release\",\n \"configurePreset\": \"win-x86-release\"\n },\n {\n \"name\": \"win-x86-clang-release\",\n \"configurePreset\": \"win-x86-clang-release\"\n },\n {\n \"name\": \"win-amd64-debug\",\n \"configurePreset\": \"win-amd64-debug\"\n },\n {\n \"name\": \"win-amd64-clang-debug\",\n \"configurePreset\": \"win-amd64-clang-debug\"\n },\n {\n \"name\": \"win-x86-debug\",\n \"configurePreset\": \"win-x86-debug\"\n },\n {\n \"name\": \"win-x86-clang-debug\",\n \"configurePreset\": \"win-x86-clang-debug\"\n },\n {\n \"name\": \"unix-native\",\n \"configurePreset\": \"unix-native\"\n }\n ]\n}\n" }, { "path": "CONTRIBUTING.rst", "content": "CONTRIBUTING TO THE OPENVPN PROJECT\n===================================\n\nPatches should be written against the Git \"master\" branch. Some patches may get\nbackported to a release branch.\n\nThe preferred procedure is to send patches to the \"openvpn-devel\" mailing list:\n\n- https://lists.sourceforge.net/lists/listinfo/openvpn-devel\n\nInstead of directly sending patches to the list you can also create an account\nin our instance of the Gerrit review tool: https://gerrit.openvpn.net/\nSee https://community.openvpn.net/Development/GerritBestPractices.\n\nWhile we do not merge GitHub pull requests as-is, we do allow their use for code\nreview purposes. After the patch has been ACKed (reviewed and accepted), it must\nbe sent to the mailing list. This last step does not necessarily need to be done\nby the patch author, although that is definitely recommended.\n\nWhen sending patches to \"openvpn-devel\" the subject line should be prefixed with\n``[PATCH]``. To avoid merging issues the patches should be generated with\ngit-format-patch or sent using git-send-email. Try to split large patches into\nsmall, atomic pieces to make reviews easier.\n\nPlease make sure that the source code formatting follows the guidelines at\nhttps://community.openvpn.net/Development/CodeStyle. Automated checking can be\ndone with clang-format (https://community.openvpn.net/Development/CodeStyle)\nand the configuration file which can be found in the git repository at ``.clang-format``.\n\nThere is also a git pre-commit hook script, which runs clang-format automatically\neach time you commit and lets you format your code conveniently, if needed.\nTo install the hook simply run: ``dev-tools/git-pre-commit-format.sh install``\n\nIf you want quick feedback on a patch before sending it to openvpn-devel mailing\nlist, you can visit the #openvpn-devel channel on irc.libera.chat. Note that\nyou need to be logged in to Libera to join the channel:\n\n- https://libera.chat/guides/registration\n\nMore detailed contribution instructions are available here:\n\n- https://community.openvpn.net/Development/DeveloperDocumentation\n\nNote that the process for contributing to other OpenVPN projects such as\nopenvpn-build, openvpn-gui, tap-windows6 and easy-rsa may differ from what was\ndescribed above. Please refer to the contribution instructions of each\nrespective project.\n" }, { "path": "COPYING", "content": "OpenVPN (TM) -- An Open Source VPN daemon\n\nCopyright (C) 2002-2026 OpenVPN Inc \n\nThis distribution contains multiple components, some\nof which fall under different licenses. By using OpenVPN\nor any of the bundled components enumerated below, you\nagree to be bound by the conditions of the license for\neach respective component.\n\nOpenVPN trademark\n-----------------\n\n \"OpenVPN\" is a trademark of OpenVPN Inc\n\n\nOpenVPN license:\n----------------\n\n OpenVPN is distributed under the GPL license version 2.\n\n Special exception for linking OpenVPN with OpenSSL:\n\n In addition, as a special exception, OpenVPN Inc gives\n permission to link the code of this program with the OpenSSL\n library (or with modified versions of OpenSSL that use the same\n license as OpenSSL), and distribute linked combinations including\n the two. You must obey the GNU General Public License in all\n respects for all of the code used other than OpenSSL. If you modify\n this file, you may extend this exception to your version of the\n file, but you are not obligated to do so. If you do not wish to\n do so, delete this exception statement from your version.\n\nApache2 linking exception:\n---------------------------\n In addition, as a special exception, OpenVPN Inc and the\n contributors give permission to link the code of this program to\n libraries (the \"Libraries\") licensed under the Apache License\n version 2.0 (this work and any linked library the \"Combined Work\")\n and copy and distribute the Combined Work without an obligation to\n license the Libraries under the GNU General Public License v2\n (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an\n obligation to refrain from imposing any additional restrictions in\n the Apache License version 2 that are not in the GPL-2.0, as\n required by Section 6 of the GPL-2.0. You must comply with the\n GPL-2.0 in all other respects for the Combined Work, including\n the obligation to provide source code. If you modify this file, you\n may extend this exception to your version of the file, but you are\n not obligated to do so. If you do not wish to do so, delete this\n exception statement from your version.\n\nFor better understanding, in plain non-legalese English this basically says:\n\n * The intention for this license exception is to allow OpenVPN to be\n linked against APL-2 licensed libraries, even where the GPL-2.0 and\n APL-2 licenses conflict from a legal perspective.\n\n * OpenVPN itself will stay GPL-2.0 and the code belonging to the\n OpenVPN project must comply to the GPL-2.0 license. This is NOT\n dual-licensing of the OpenVPN code base.\n\n * This license exception DOES NOT require NOR expect a license change\n of the APL-2 based library. This exception allows using the APL-2\n library as-is. However, when distributing a compiled OpenVPN binary\n linking against APL-2 libraries (\"Combined Work\"), the REQUIREMENT is\n that the APL-2 library MUST also be available on similar terms as in\n GPL-2.0, like providing the source code of the library upon request,\n except in the two specific ways mentioned.\n\n * If the APL-2 based library forbids such linking and distribution,\n this license exception DOES NOT overrule the restriction of the APL-2\n based library. If the APL-2 library cannot satisfy the requirements\n in this license exception, you CANNOT distribute an OpenVPN binary\n linked with this library.\n\nLZO linking exception:\n----------------------\n\n LZO is Copyright (C) Markus F.X.J. Oberhumer,\n and is licensed under the GPL.\n\n Special exception for linking OpenVPN with both OpenSSL and LZO:\n\n Hereby I grant a special exception to the OpenVPN project\n (https://openvpn.net/) to link the LZO library with\n the OpenSSL library (https://www.openssl.org).\n\n Markus F.X.J. Oberhumer\n" }, { "path": "COPYRIGHT.GPL", "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The licenses for most software are designed to take away your\nfreedom to share and change it. By contrast, the GNU General Public\nLicense is intended to guarantee your freedom to share and change free\nsoftware--to make sure the software is free for all its users. This\nGeneral Public License applies to most of the Free Software\nFoundation's software and to any other program whose authors commit to\nusing it. (Some other Free Software Foundation software is covered by\nthe GNU Lesser General Public License instead.) You can apply it to\nyour programs, too.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthis service if you wish), that you receive source code or can get it\nif you want it, that you can change the software or use pieces of it\nin new free programs; and that you know you can do these things.\n\n To protect your rights, we need to make restrictions that forbid\nanyone to deny you these rights or to ask you to surrender the rights.\nThese restrictions translate to certain responsibilities for you if you\ndistribute copies of the software, or if you modify it.\n\n For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must give the recipients all the rights that\nyou have. You must make sure that they, too, receive or can get the\nsource code. And you must show them these terms so they know their\nrights.\n\n We protect your rights with two steps: (1) copyright the software, and\n(2) offer you this license which gives you legal permission to copy,\ndistribute and/or modify the software.\n\n Also, for each author's protection and ours, we want to make certain\nthat everyone understands that there is no warranty for this free\nsoftware. If the software is modified by someone else and passed on, we\nwant its recipients to know that what they have is not the original, so\nthat any problems introduced by others will not reflect on the original\nauthors' reputations.\n\n Finally, any free program is threatened constantly by software\npatents. We wish to avoid the danger that redistributors of a free\nprogram will individually obtain patent licenses, in effect making the\nprogram proprietary. To prevent this, we have made it clear that any\npatent must be licensed for everyone's free use or not licensed at all.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n GNU GENERAL PUBLIC LICENSE\n TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n 0. This License applies to any program or other work which contains\na notice placed by the copyright holder saying it may be distributed\nunder the terms of this General Public License. The \"Program\", below,\nrefers to any such program or work, and a \"work based on the Program\"\nmeans either the Program or any derivative work under copyright law:\nthat is to say, a work containing the Program or a portion of it,\neither verbatim or with modifications and/or translated into another\nlanguage. (Hereinafter, translation is included without limitation in\nthe term \"modification\".) Each licensee is addressed as \"you\".\n\nActivities other than copying, distribution and modification are not\ncovered by this License; they are outside its scope. The act of\nrunning the Program is not restricted, and the output from the Program\nis covered only if its contents constitute a work based on the\nProgram (independent of having been made by running the Program).\nWhether that is true depends on what the Program does.\n\n 1. You may copy and distribute verbatim copies of the Program's\nsource code as you receive it, in any medium, provided that you\nconspicuously and appropriately publish on each copy an appropriate\ncopyright notice and disclaimer of warranty; keep intact all the\nnotices that refer to this License and to the absence of any warranty;\nand give any other recipients of the Program a copy of this License\nalong with the Program.\n\nYou may charge a fee for the physical act of transferring a copy, and\nyou may at your option offer warranty protection in exchange for a fee.\n\n 2. You may modify your copy or copies of the Program or any portion\nof it, thus forming a work based on the Program, and copy and\ndistribute such modifications or work under the terms of Section 1\nabove, provided that you also meet all of these conditions:\n\n a) You must cause the modified files to carry prominent notices\n stating that you changed the files and the date of any change.\n\n b) You must cause any work that you distribute or publish, that in\n whole or in part contains or is derived from the Program or any\n part thereof, to be licensed as a whole at no charge to all third\n parties under the terms of this License.\n\n c) If the modified program normally reads commands interactively\n when run, you must cause it, when started running for such\n interactive use in the most ordinary way, to print or display an\n announcement including an appropriate copyright notice and a\n notice that there is no warranty (or else, saying that you provide\n a warranty) and that users may redistribute the program under\n these conditions, and telling the user how to view a copy of this\n License. (Exception: if the Program itself is interactive but\n does not normally print such an announcement, your work based on\n the Program is not required to print an announcement.)\n\nThese requirements apply to the modified work as a whole. If\nidentifiable sections of that work are not derived from the Program,\nand can be reasonably considered independent and separate works in\nthemselves, then this License, and its terms, do not apply to those\nsections when you distribute them as separate works. But when you\ndistribute the same sections as part of a whole which is a work based\non the Program, the distribution of the whole must be on the terms of\nthis License, whose permissions for other licensees extend to the\nentire whole, and thus to each and every part regardless of who wrote it.\n\nThus, it is not the intent of this section to claim rights or contest\nyour rights to work written entirely by you; rather, the intent is to\nexercise the right to control the distribution of derivative or\ncollective works based on the Program.\n\nIn addition, mere aggregation of another work not based on the Program\nwith the Program (or with a work based on the Program) on a volume of\na storage or distribution medium does not bring the other work under\nthe scope of this License.\n\n 3. You may copy and distribute the Program (or a work based on it,\nunder Section 2) in object code or executable form under the terms of\nSections 1 and 2 above provided that you also do one of the following:\n\n a) Accompany it with the complete corresponding machine-readable\n source code, which must be distributed under the terms of Sections\n 1 and 2 above on a medium customarily used for software interchange; or,\n\n b) Accompany it with a written offer, valid for at least three\n years, to give any third party, for a charge no more than your\n cost of physically performing source distribution, a complete\n machine-readable copy of the corresponding source code, to be\n distributed under the terms of Sections 1 and 2 above on a medium\n customarily used for software interchange; or,\n\n c) Accompany it with the information you received as to the offer\n to distribute corresponding source code. (This alternative is\n allowed only for noncommercial distribution and only if you\n received the program in object code or executable form with such\n an offer, in accord with Subsection b above.)\n\nThe source code for a work means the preferred form of the work for\nmaking modifications to it. For an executable work, complete source\ncode means all the source code for all modules it contains, plus any\nassociated interface definition files, plus the scripts used to\ncontrol compilation and installation of the executable. However, as a\nspecial exception, the source code distributed need not include\nanything that is normally distributed (in either source or binary\nform) with the major components (compiler, kernel, and so on) of the\noperating system on which the executable runs, unless that component\nitself accompanies the executable.\n\nIf distribution of executable or object code is made by offering\naccess to copy from a designated place, then offering equivalent\naccess to copy the source code from the same place counts as\ndistribution of the source code, even though third parties are not\ncompelled to copy the source along with the object code.\n\n 4. You may not copy, modify, sublicense, or distribute the Program\nexcept as expressly provided under this License. Any attempt\notherwise to copy, modify, sublicense or distribute the Program is\nvoid, and will automatically terminate your rights under this License.\nHowever, parties who have received copies, or rights, from you under\nthis License will not have their licenses terminated so long as such\nparties remain in full compliance.\n\n 5. You are not required to accept this License, since you have not\nsigned it. However, nothing else grants you permission to modify or\ndistribute the Program or its derivative works. These actions are\nprohibited by law if you do not accept this License. Therefore, by\nmodifying or distributing the Program (or any work based on the\nProgram), you indicate your acceptance of this License to do so, and\nall its terms and conditions for copying, distributing or modifying\nthe Program or works based on it.\n\n 6. Each time you redistribute the Program (or any work based on the\nProgram), the recipient automatically receives a license from the\noriginal licensor to copy, distribute or modify the Program subject to\nthese terms and conditions. You may not impose any further\nrestrictions on the recipients' exercise of the rights granted herein.\nYou are not responsible for enforcing compliance by third parties to\nthis License.\n\n 7. If, as a consequence of a court judgment or allegation of patent\ninfringement or for any other reason (not limited to patent issues),\nconditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot\ndistribute so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you\nmay not distribute the Program at all. For example, if a patent\nlicense would not permit royalty-free redistribution of the Program by\nall those who receive copies directly or indirectly through you, then\nthe only way you could satisfy both it and this License would be to\nrefrain entirely from distribution of the Program.\n\nIf any portion of this section is held invalid or unenforceable under\nany particular circumstance, the balance of the section is intended to\napply and the section as a whole is intended to apply in other\ncircumstances.\n\nIt is not the purpose of this section to induce you to infringe any\npatents or other property right claims or to contest validity of any\nsuch claims; this section has the sole purpose of protecting the\nintegrity of the free software distribution system, which is\nimplemented by public license practices. Many people have made\ngenerous contributions to the wide range of software distributed\nthrough that system in reliance on consistent application of that\nsystem; it is up to the author/donor to decide if he or she is willing\nto distribute software through any other system and a licensee cannot\nimpose that choice.\n\nThis section is intended to make thoroughly clear what is believed to\nbe a consequence of the rest of this License.\n\n 8. If the distribution and/or use of the Program is restricted in\ncertain countries either by patents or by copyrighted interfaces, the\noriginal copyright holder who places the Program under this License\nmay add an explicit geographical distribution limitation excluding\nthose countries, so that distribution is permitted only in or among\ncountries not thus excluded. In such case, this License incorporates\nthe limitation as if written in the body of this License.\n\n 9. The Free Software Foundation may publish revised and/or new versions\nof the General Public License from time to time. Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\nEach version is given a distinguishing version number. If the Program\nspecifies a version number of this License which applies to it and \"any\nlater version\", you have the option of following the terms and conditions\neither of that version or of any later version published by the Free\nSoftware Foundation. If the Program does not specify a version number of\nthis License, you may choose any version ever published by the Free Software\nFoundation.\n\n 10. If you wish to incorporate parts of the Program into other free\nprograms whose distribution conditions are different, write to the author\nto ask for permission. For software which is copyrighted by the Free\nSoftware Foundation, write to the Free Software Foundation; we sometimes\nmake exceptions for this. Our decision will be guided by the two goals\nof preserving the free status of all derivatives of our free software and\nof promoting the sharing and reuse of software generally.\n\n NO WARRANTY\n\n 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY\nFOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN\nOTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES\nPROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED\nOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS\nTO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE\nPROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,\nREPAIR OR CORRECTION.\n\n 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR\nREDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,\nINCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING\nOUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED\nTO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY\nYOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER\nPROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\n END OF TERMS AND CONDITIONS\n\n How to Apply These Terms to Your New Programs\n\n If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n To do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nconvey the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n \n Copyright (C) \n\n This program is free software; you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation; either version 2 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License along\n with this program; if not, see .\n\nAlso add information on how to contact you by electronic and paper mail.\n\nIf the program is interactive, make it output a short notice like this\nwhen it starts in an interactive mode:\n\n Gnomovision version 69, Copyright (C) year name of author\n Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n This is free software, and you are welcome to redistribute it\n under certain conditions; type `show c' for details.\n\nThe hypothetical commands `show w' and `show c' should show the appropriate\nparts of the General Public License. Of course, the commands you use may\nbe called something other than `show w' and `show c'; they could even be\nmouse-clicks or menu items--whatever suits your program.\n\nYou should also get your employer (if you work as a programmer) or your\nschool, if any, to sign a \"copyright disclaimer\" for the program, if\nnecessary. Here is a sample; alter the names:\n\n Yoyodyne, Inc., hereby disclaims all copyright interest in the program\n `Gnomovision' (which makes passes at compilers) written by James Hacker.\n\n , 1 April 1989\n Moe Ghoul, President of Vice\n\nThis General Public License does not permit incorporating your program into\nproprietary programs. If your program is a subroutine library, you may\nconsider it more useful to permit linking proprietary applications with the\nlibrary. If this is what you want to do, use the GNU Lesser General\nPublic License instead of this License.\n" }, { "path": "ChangeLog", "content": "OpenVPN ChangeLog\nCopyright (C) 2002-2026 OpenVPN Inc \n\nthis marks the start of the 2.8 development cycle\n\nup to the first formal 2.8 pre-release, this file will not be\nmaintained - please look at \"git log\" or \"git shortlog v2.7.0..HEAD\"\nto see what was changed.\n" }, { "path": "Changes.rst", "content": "Overview of changes in 2.8\n==========================\n\n\nOverview of changes in 2.7\n==========================\nNew features\n------------\nMulti-socket support for servers\n OpenVPN servers now can listen on multiple sockets at the same time.\n Multiple ``--local`` statements in the configuration can be used to\n configure this. This way the same server can e.g. listen for UDP\n and TCP connections at the same time, or listen on multiple addresses\n and/or ports.\n\nClient implementations for DNS options sent by server for Linux/BSD/macOS\n Linux, BSD and macOS versions of OpenVPN now ship with a per-platform\n default ``--dns-updown`` script that implements proper handling of\n DNS configuration sent by the server. The scripts should work on\n systems that use ``systemd`` or ``resolveconf`` to manage the DNS\n setup, as well as raw ``/etc/resolv.conf`` files. However, the exact\n features supported will depend on the configuration method.\n On Linux and MacOS this should usually make split-DNS configurations\n supported out-of-the-box now.\n\n Note that this new script will not be used by default if a ``--up``\n script is already in use to reduce problems with\n backwards compatibility.\n\n See documentation for ``--dns-updown`` and ``--dns`` for more details.\n\nNew client implementation for DNS options sent by server for Windows\n The Windows client now uses NRPT (Name Resolution Policy Table) to\n handle DNS configurations. This adds support for split-DNS and DNSSEC\n and improves the compatbility with local DNS resolvers. Requires the\n interactive service.\n\nOn Windows the ``block-local`` flag is now enforced with WFP filters.\n The ``block-local`` flag to ``--redirect-gateway`` and\n ``--redirect-private`` is now also enforced via the Windows Firewall,\n making sure packets can't be sent to the local network.\n This provides stronger protection against TunnelCrack-style attacks.\n\nWindows network adapters are now generated on demand\n This means that on systems that run multiple OpenVPN connections at\n the same time the users don't need to manually create enough network\n adapters anymore (in addition to the ones created by the installer).\n\nWindows automatic service now runs as an unpriviledged user\n All tasks that need privileges are now delegated to the interactive\n service.\n **NOTE** this has the risk of breaking existing setups if the\n Windows certificate store is used (cryptoapi), and the certificates\n are not readable for ``NT SERVICE\\OpenVPNService``.\n\nSupport for new version of Linux DCO module\n OpenVPN DCO module is moving upstream and being merged into the\n main Linux kernel. For this process some API changes were required.\n OpenVPN 2.7 will only support the new API. The new module is called\n ``ovpn``. Out-of-tree builds for older kernels are available. Please\n see the release announcements for futher information.\n\nSupport for server mode in win-dco driver\n On Windows the win-dco driver can now be used in server setups.\n\nSupport for TLS client floating in DCO implementations\n The kernel modules will detect clients floating to a new IP address\n and notify userland so both data packets (kernel) and TLS packets\n (sent by userland) can reach the new client IP.\n (Actual support depends on recent-enough kernel implementation)\n\nEnforcement of AES-GCM usage limit\n OpenVPN will now enforce the usage limits on AES-GCM with the same\n confidentiality margin as TLS 1.3 does. This mean that renegotiation will\n be triggered after roughly 2^28 to 2^31 packets depending of the packet\n size. More details about usage limit of AES-GCM can be found here:\n\n https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/\n\nEpoch data keys and packet format\n This introduces the epoch data format for AEAD data channel\n ciphers in TLS mode ciphers. This new data format has a number of\n improvements over the standard \"DATA_V2\" format.\n\n - AEAD tag at the end of packet which is more hardware implementation\n friendly\n - Automatic key switchover when cipher usage limits are hit, similar to\n the epoch data keys in (D)TLS 1.3\n - 64 bit instead of 32 bit packet ids to allow the data channel to be\n ready for 10 GBit/s without having frequent renegotiation\n - IV constructed with XOR instead of concatenation to not have (parts) of\n the real IV on the wire\n\nSupport for Epoch data channel on Windows, using the win-dco driver (2.8.0+)\n\nDefault ciphers in ``--data-ciphers``\n Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is\n replaced by the default ciphers used by OpenVPN, making it easier to\n add an allowed cipher without having to spell out the default ciphers.\n\nTLS alerts\n OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS\n session shuts down or when the TLS implementation informs the peer about\n an error in the TLS session (e.g. mismatching TLS versions). This improves\n the user experience as the client shows an error instead of running into\n a timeout when the server just stops responding completely.\n\nSupport for tun/tap via unix domain socket and lwipovpn support\n To allow better testing and emulating a full client with a full\n network stack OpenVPN now allows a program executed to provide\n a tun/tap device instead of opening a device.\n\n The co-developed lwipovpn program based on lwIP stack allows to\n simulate full IP stack. An OpenVPN client using\n ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that\n can be pinged, can serve a website and more without requiring any\n elevated permission. This can make testing OpenVPN much easier.\n\n For more details see\n `lwipovpn on Github `_.\n\nAllow overriding username with ``--override-username``\n This is intended to allow using ``--auth-gen-token`` in scenarios where the\n clients use certificates and multi-factor authentication. This will\n also generate a ``push \"auth-token-user newusername\"`` directive in\n push replies.\n\n``--port-share`` now properly supports IPv6\n Issues with logging of IPv6 addresses were fixed. The feature now allows\n IPv6 connections towards the proxy receiver.\n\nSupport for Haiku OS\n\nTLS1.3 support with mbedTLS (requires mbedTLS >= 3.6.4)\n\nPUSH_UPDATE client support\n It is now possible to update parts of the client-side configuration\n (IP address, routes, MTU, DNS) by sending a new server-to-client\n control message, ``PUSH_UPDATE,``.\n See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html\n NOTE: PUSH_UPDATE client support is currently disabled if DCO\n is active (on all platforms).\n\nPUSH_UPDATE server support (minimal)\n New management interface commands ``push-update-broad`` and\n ``push-update-cid`` to send PUSH_UPDATE option updates to all\n clients (\"there is a new DNS server\") or only a specific client ID\n (\"privileges have changed, here's a new IP address\"). See\n doc/management-notes.txt\n NOTE: PUSH_UPDATE server support is currently disabled if DCO\n is active (on all platforms).\n\nSupport for user-defined routing tables on Linux\n See the ``--route-table`` option in the manpage\n\nPQE support for WolfSSL\n\nTwo new environment variables have been introduced to communicate desired\n default gateway redirection to plugins like Network Manager,\n ``route_redirect_gateway_ipv4`` and ``route_redirect_gateway_ipv6``.\n See the \"Environmental Variables\" section in the man page\n\nImproved logging of service events/errors to event log on Windows.\n\n\"Recursive Routing\" check is now more granular, and will only drop\n packets-in-tunnel if destination IP, protocol and port matches with\n those needed to reach the VPN server. With that change, you can now\n use policies that direct \"everything that is not OpenVPN\" into the\n tunnel, and have IP packets to the VPN server address arrive as\n expected (no such policies are currently installed by OpenVPN)\n (GH: OpenVPN/openvpn#669).\n\nCOPYING: license details only relevant to our Windows installers have\n been updated and moved to the openvpn-build repo\n\nImproved BYTECOUNT support - more strictly adhere to timing interval\n requested, correctly support client and server counters with Linux and\n Windows DCO offloading.\n\nImprove compatibility with OpenSSL 3.6.0 (do not fail t_lpback selftest)\n\nNew option ``--tls-crypt-v2-max-age n`` to check tls-crypt-v2 timestamps\n (When a client is older than n days or has no timestamp, the server\n will reject it)\n\nmbedTLS 4 support has been added.\n Note that with mbedTLS 4 algorithms need to be translated to\n mbedTLS 4 internal IDs by OpenVPN, and some names might be\n missing.\n\n\nDeprecated features\n-------------------\n``secret`` support has been removed (by default).\n static key mode (non-TLS) is no longer considered \"good and secure enough\"\n for today's requirements. Use TLS mode instead. If deploying a PKI CA\n is considered \"too complicated\", using ``--peer-fingerprint`` makes\n TLS mode about as easy as using ``--secret``.\n\n This mode can still be enabled by using\n ``--allow-deprecated-insecure-static-crypto`` but will be removed in\n OpenVPN 2.8.\n\nSupport for wintun Windows driver has been removed.\n OpenVPN 2.6 added support for the new dco-win driver, so it supported\n three different device drivers: dco-win, wintun, and tap-windows6.\n OpenVPN 2.7 now drops the support for wintun driver. By default\n all modern configs should be supported by dco-win driver. In all\n other cases OpenVPN will fall back automatically to tap-windows6\n driver.\n\nNTLMv1 authentication support for HTTP proxies has been removed.\n This is considered an insecure method of authentication that uses\n obsolete crypto algorithms.\n NTLMv2 support is still available, but will be removed in a future\n release.\n When configured to authenticate with NTLMv1 (``ntlm`` keyword in\n ``--http-proxy``) OpenVPN will try NTLMv2 instead.\n\n``persist-key`` option has been enabled by default.\n All the keys will be kept in memory across restart.\n\nOpenSSL 1.0.2 support has been removed.\n Support for building with OpenSSL 1.0.2 has been removed. The minimum\n supported OpenSSL version is now 1.1.0.\n\nmbedTLS 2.x support has been removed\n Support for building with mbedTLS 2.x has been removed (it is out\n of support since March 2025, and the necessary compatibility code\n is making maintenance and support for mbedTLS 4.x hard).\n The minimum supported mbedTLS version is now 3.2.1.\n\nCompression on send has been removed.\n OpenVPN 2.7 will never compress data before sending. Decompression of\n received data is still supported.\n ``--allow-compression yes`` is now an alias for\n ``--allow-compression asym``.\n\n``--memstats`` feature removed\n The ``--memstats`` option was largely undocumented and there is no known\n user of this feature. This feature provided very limited statistics\n (number of users, link bytes read/written) and we do not except any\n usage because of this.\n\nUsing ``--push`` in a mode that is not ``--mode server`` will now print a\n clear warning that this is an unsupported operation and might cause\n negotiation failures.\n\n``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will\n now print an appropriate warning.\n\nOn-connect resolving of ``--remote`` addresses in ``--tcp-server`` mode\n was not working since 2.4, so the code was completely removed.\n\n\nUser-visible Changes\n--------------------\n- Default for ``--topology`` changed to ``subnet`` for ``--mode server``.\n Previous releases always used ``net30`` as default. This only affects\n configs with ``--mode server`` or ``--server`` (the latter implies the\n former), and ``--dev tun``, and only if IPv4 is enabled.\n Note that this changes the semantics of ``--ifconfig``, so if you have\n manual settings for that in your config but not set ``--topology``\n your config might fail to parse with the new version. Just adding\n ``--topology net30`` to the config should fix the problem.\n By default ``--topology`` is pushed from server to client.\n\n- ``--x509-username-field`` will no longer automatically convert fieldnames to\n uppercase. This was deprecated since OpenVPN 2.4, and has now been removed.\n\n- ``--dh none`` is now the default if ``--dh`` is not specified. Modern TLS\n implementations will prefer ECDH and other more modern algorithms anyway.\n And finite field Diffie Hellman is in the proces of being deprecated\n (see draft-ietf-tls-deprecate-obsolete-kex)\n\n- ``--lport 0`` does not imply ``--bind`` anymore.\n\n- ``--redirect-gateway`` now works correctly if the VPN remote is not\n reachable by the default gateway.\n\n- ``--show-gateway`` now supports querying the gateway for IPv4 addresses.\n\n- ``--static-challenge`` option now has a third parameter ``format`` that\n can change how password and challenge response should be combined.\n\n- ``--key`` and ``--cert`` now accept URIs implemented in OpenSSL 3 as well as\n optional OpenSSL 3 providers loaded using ``--providers`` option.\n\n- ``--cryptoapicert`` now supports issuer name as well as Windows CA template\n name or OID as selector string.\n\n- TLS handshake debugging information contains much more details now when\n using recent versions of OpenSSL.\n\n- The ``IV_PLAT_VER`` variable sent by Windows clients now contains the\n full Windows build version to make it possible to determine the\n Windows 10 or Windows 11 version used.\n\n- The ``--windows-driver`` option to select between various windows\n drivers will no longer do anything - it's kept so existing configs\n will not become invalid, but it is ignored with a warning. The default\n is now ``ovpn-dco`` if all options used are compatible with DCO, with\n a fallback to ``tap-windows6``. To force TAP (for example because a\n server pushes DCO incompatible options), use the ``--disable-dco``\n option.\n\n- Apply more checks to incoming TLS handshake packets before creating\n new state - namely, verify message ID / acked ID for \"valid range for\n an initial packet\". This fixes a problem with clients that float\n very early but send control channel packet from the pre-float IP\n (Github: OpenVPN/openvpn#704).\n\n- Use of ``--dh dh2048.pem`` in all sample configs has been replaced\n with ``--dh none``. The ``dh2048.pem`` file has been removed.\n\n- The startup delay in ``t_client.sh`` has been reduced from 3s to 1s,\n making a noticeable difference for setups with many tests.\n\n- Changed from using ``uncrustify`` for code formatting and pre-commit checks\n to ``clang-format``. This reformatted quite a bit of code, and requires\n that regular committers change their pre-commit checks accordingly.\n\n- On Linux, on interfaces where applicable, OpenVPN explicitly configures\n the broadcast address again. This was dropped for 2.6.0 \"because\n computers are smart and can do it themselves\", but the kernel netlink\n interface isn't, and will install \"0.0.0.0\". This does not normally\n matter, but for broadcast-based applications that get the address to\n use from \"ifconfig\", this change repairs functionality (this has\n been backported to 2.6.15, but is not in earlier 2.6 versions).\n\n- ``max-routes-per-client 0`` used to be silently upgraded to ``1``. This\n now produces an error.\n\n- ``ifconfig`` and ``ifconfig-ipv6`` values are now stored in pre-connect\n options cache, and will be restored to pre-connect values on reconnects\n if the server stops pushing the respective option.\n\n- ``tapctl.exe`` helper binary on Windows has been reworked to improve\n help texts (making clear that it can not only do TAP-Adapters but\n Win-DCO as well), add printing of the hwid to all adapter outputs, and\n change the default adapter type created to ``ovpn-dco``.\n\n- The default for ``multihome`` egress interface handling has changed.\n 2.7.0 will default to ipi_ifindex=0, that is, leave the decision to the\n routing/policy setup of the operating system. The pre-2.7 behaviour\n (force egress = ingress interface) can be achieved with the new\n ``--multihome same-interface`` sub-option.\n\n- Windows ``openvpn.exe`` binary manifest now sets code page UTF8 - which\n has no direct effect on OpenVPN itself, but this repairs OpenSSL file\n loading for key/cert files with non-ASCII characters in their file names\n (GH: OpenVPN/openvpn#920).\n\n- The ``test-crypto`` option no longer requires a ``--secret`` argument and\n will automatically generate a random key.\n\n- The configure-time option ``--enable-x509-alt-username`` is no longer\n conditional, and always-on (GH: OpenVPN/openvpn#917).\n\n\nDeprecated features\n-------------------\n``--opt-verify`` feature removed\n This option was already deprecated and it is now being converted to a\n no-op. Using this option will only print a warning.\n\n\nOverview of changes in 2.6\n==========================\n\nProject changes\n---------------\n\nWe want to deprecate our old Trac bug tracking system.\nPlease report any issues with this release in GitHub\ninstead: https://github.com/OpenVPN/openvpn/issues\n\nNew features\n------------\nSupport unlimited number of connection entries and remote entries\n\nNew management commands to enumerate and list remote entries\n Use ``remote-entry-count`` and ``remote-entry-get``\n commands from the management interface to get the number of\n remote entries and the entries themselves.\n\nKeying Material Exporters (RFC 5705) based key generation\n As part of the cipher negotiation OpenVPN will automatically prefer\n the RFC5705 based key material generation to the current custom\n OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.\n\nCompatibility with OpenSSL in FIPS mode\n OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort\n has been made to check or implement all the\n requirements/recommendation of FIPS 140-2. This just allows OpenVPN\n to be run on a system that be configured OpenSSL in FIPS mode.\n\n``mlock`` will now check if enough memlock-able memory has been reserved,\n and if less than 100MB RAM are available, use setrlimit() to upgrade\n the limit. See Trac #1390. Not available on OpenSolaris.\n\nCertificate pinning/verify peer fingerprint\n The ``--peer-fingerprint`` option has been introduced to give users an\n easy to use alternative to the ``tls-verify`` for matching the\n fingerprint of the peer. The option takes use a number of allowed\n SHA256 certificate fingerprints.\n\n See the man page section \"Small OpenVPN setup with peer-fingerprint\"\n for a tutorial on how to use this feature. This is also available online\n under https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst\n\nTLS mode with self-signed certificates\n When ``--peer-fingerprint`` is used, the ``--ca`` and ``--capath`` option\n become optional. This allows for small OpenVPN setups without setting up\n a PKI with Easy-RSA or similar software.\n\nDeferred auth support for scripts\n The ``--auth-user-pass-verify`` script supports now deferred authentication.\n\nPending auth support for plugins and scripts\n Both auth plugin and script can now signal pending authentication to\n the client when using deferred authentication. The new ``client-crresponse``\n script option and ``OPENVPN_PLUGIN_CLIENT_CRRESPONSE`` plugin function can\n be used to parse a client response to a ``CR_TEXT`` two factor challenge.\n\n See ``sample/sample-scripts/totpauth.py`` for an example.\n\nCompatibility mode (``--compat-mode``)\n The modernisation of defaults can impact the compatibility of OpenVPN 2.6.0\n with older peers. The options ``--compat-mode`` allows UIs to provide users\n with an easy way to still connect to older servers.\n\nOpenSSL 3.0 support\n OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user visible but\n improve general compatibility with OpenSSL 3.0. ``--tls-cert-profile insecure``\n has been added to allow selecting the lowest OpenSSL security level (not\n recommended, use only if you must). OpenSSL 3.0 no longer supports the Blowfish\n (and other deprecated) algorithm by default and the new option ``--providers``\n allows loading the legacy provider to renable these algorithms.\n\nOptional ciphers in ``--data-ciphers``\n Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark\n those as optional and only use them if the SSL library supports them.\n\n\nImproved ``--mssfix`` and ``--fragment`` calculation\n The ``--mssfix`` and ``--fragment`` options now allow an optional :code:`mtu`\n parameter to specify that different overhead for IPv4/IPv6 should taken into\n account and the resulting size is specified as the total size of the VPN packets\n including IP and UDP headers.\n\nCookie based handshake for UDP server\n Instead of allocating a connection for each client on the initial packet\n OpenVPN server will now use an HMAC based cookie as its session id. This\n way the server can verify it on completing the handshake without keeping\n state. This eliminates the amplification and resource exhaustion attacks.\n For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later\n because the client needs to resend its client key on completing the hand\n shake. The tls-crypt-v2 option allows controlling if older clients are\n accepted.\n\n By default the rate of initial packet responses is limited to 100 per 10s\n interval to avoid OpenVPN servers being abused in reflection attacks\n (see ``--connect-freq-initial``).\n\nData channel offloading with ovpn-dco\n 2.6.0+ implements support for data-channel offloading where the data packets\n are directly processed and forwarded in kernel space thanks to the ovpn-dco\n kernel module. The userspace openvpn program acts purely as a control plane\n application. Note that DCO will use DATA_V2 packets in P2P mode, therefore,\n this implies that peers must be running 2.6.0+ in order to have P2P-NCP\n which brings DATA_V2 packet support.\n\nSession timeout\n It is now possible to terminate a session (or all) after a specified amount\n of seconds has passed session commencement. This behaviour can be configured\n using ``--session-timeout``. This option can be configured on the server, on\n the client or can also be pushed.\n\nInline auth username and password\n Username and password can now be specified inline in the configuration file\n within the tags. If the password is\n missing OpenVPN will prompt for input via stdin. This applies to inline'd\n http-proxy-user-pass too.\n\nTun MTU can be pushed\n The client can now also dynamically configure its MTU and the server\n will try to push the client MTU when the client supports it. The\n directive ``--tun-mtu-max`` has been introduced to increase the maximum\n pushable MTU size (defaults to 1600).\n\nDynamic TLS Crypt\n When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create\n a tls-crypt key that is used for renegotiation. This ensure that only the\n previously authenticated peer can do trigger renegotiation and complete\n renegotiations.\n\nImproved control channel packet size control (``max-packet-size``)\n The size of control channel is no longer tied to\n ``--link-mtu``/``--tun-mtu`` and can be set using ``--max-packet-size``.\n Sending large control channel frames is also optimised by allowing 6\n outstanding packets instead of just 4. ``max-packet-size`` will also set\n ``mssfix`` to try to limit data-channel packets as well.\n\nDeprecated features\n-------------------\n``inetd`` has been removed\n This was a very limited and not-well-tested way to run OpenVPN, on TCP\n and TAP mode only.\n\n``verify-hash`` has been deprecated\n This option has very limited usefulness and should be replaced by either\n a better ``--ca`` configuration or with a ``--tls-verify`` script.\n\n``secret`` has been deprecated\n static key mode (non-TLS) is no longer considered \"good and secure enough\"\n for today's requirements. Use TLS mode instead. If deploying a PKI CA\n is considered \"too complicated\", using ``--peer-fingerprint`` makes\n TLS mode about as easy as using ``--secret``.\n\n``ncp-disable`` has been removed\n This option mainly served a role as debug option when NCP was first\n introduced. It should now no longer be necessary.\n\nTLS 1.0 and 1.1 are deprecated\n ``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults\n to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally\n avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only.\n\n``--cipher`` argument is no longer appended to ``--data-ciphers``\n by default. Data cipher negotiation has been introduced in 2.4.0\n and been significantly improved in 2.5.0. The implicit fallback\n to the cipher specified in ``--cipher`` has been removed.\n Effectively, ``--cipher`` is a no-op in TLS mode now, and will\n only have an effect in pre-shared-key mode (``--secret``).\n From now on ``--cipher`` should not be used in new configurations\n for TLS mode.\n Should backwards compatibility with older OpenVPN peers be\n required, please see the ``--compat-mode`` instead.\n\n``--prng`` has beeen removed\n OpenVPN used to implement its own PRNG based on a hash. However implementing\n a PRNG is better left to a crypto library. So we use the PRNG\n mbed TLS or OpenSSL now.\n\n``--keysize`` has been removed\n The ``--keysize`` option was only useful to change the key length when using the\n BF, CAST6 or RC2 ciphers. For all other ciphers the key size is fixed with the\n chosen cipher. As OpenVPN v2.6 no longer supports any of these variable length\n ciphers, this option was removed as well to avoid confusion.\n\nCompression no longer enabled by default\n Unless an explicit compression option is specified in the configuration,\n ``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0.\n By default, OpenVPN 2.5 still allowed a server to enable compression by\n pushing compression related options.\n\nPF (Packet Filtering) support has been removed\n The built-in PF functionality has been removed from the code base. This\n feature wasn't really easy to use and was long unmaintained.\n This implies that also ``--management-client-pf`` and any other compile\n time or run time related option do not exist any longer.\n\nOption conflict checking is being deprecated and phased out\n The static option checking (OCC) is no longer useful in typical setups\n that negotiate most connection parameters. The ``--opt-verify`` and\n ``--occ-disable`` options are deprecated, and the configure option\n ``--enable-strict-options`` has been removed. Logging of mismatched\n options has been moved to debug logging (verb 7).\n\nUser-visible Changes\n--------------------\n- CHACHA20-POLY1305 is included in the default of ``--data-ciphers`` when available.\n- Option ``--prng`` is ignored as we rely on the SSL library random number generator.\n- Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration\n- :code:`link_mtu` parameter is removed from environment or replaced with 0 when scripts are\n called with parameters. This parameter is unreliable and no longer internally calculated.\n\n- control channel packet maximum size is no longer influenced by\n ``--link-mtu``/``--tun-mtu`` and must be set by ``--max-packet-size`` now.\n The default is 1250 for the control channel size.\n\n- In point-to-point OpenVPN setups (no ``--server``), using\n ``--explict-exit-notiy`` on one end would terminate the other side at\n session end. This is considered a no longer useful default and has\n been changed to \"restart on reception of explicit-exit-notify message\".\n If the old behaviour is still desired, ``--remap-usr1 SIGTERM`` can be used.\n\n- FreeBSD tun interfaces with ``--topology subnet`` are now put into real\n subnet mode (IFF_BROADCAST instead of IFF_POINTOPOINT) - this might upset\n software that enumerates interfaces, looking for \"broadcast capable?\" and\n expecting certain results. Normal uses should not see any difference.\n\n- The default configurations will no longer allow connections to OpenVPN 2.3.x\n peer or earlier, use the new ``--compat-mode`` option if you need\n compatibility with older versions. See the manual page on the\n ``--compat-mode`` for details.\n\n- The ``client-pending-auth`` management command now requires also the\n key id. The management version has been changed to 5 to indicate this change.\n\n- (OpenVPN 2.6.2) A client will now refuse a connection if pushed compression\n settings will contradict the setting of allow-compression as this almost\n always results in a non-working connection.\n\n- The \"kill\" by addr management command now requires also the protocol\n as string e.g. \"udp\", \"tcp\".\n\nCommon errors with OpenSSL 3.0 and OpenVPN 2.6\n----------------------------------------------\nBoth OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some\nconfiguration will no longer work. This section will cover the most common\ncauses and error message we have seen and explain their reason and temporary\nworkarounds. You should fix the underlying problems as soon as possible since\nthese workaround are not secure and will eventually stop working in a future\nupdate.\n\n- weak SHA1 or MD5 signature on certificates\n\n This will happen on either loading of certificates or on connection\n to a server::\n\n OpenSSL: error:0A00018E:SSL routines::ca md too weak\n Cannot load certificate file cert.crt\n Exiting due to fatal error\n\n OpenSSL 3.0 no longer allows weak signatures on certificates. You can\n downgrade your security to allow them by using ``--tls-cert-profile insecure``\n but should replace/regenerate these certificates as soon as possible.\n\n\n- 1024 bit RSA certificates, 1024 bit DH parameters, other weak keys\n\n This happens if you use private keys or other cryptographic material that\n does not meet today's cryptographic standards anymore. Messages are similar\n to::\n\n OpenSSL: error:0A00018F:SSL routines::ee key too small\n OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small\n\n DH parameters (``--dh``) can be regenerated with ``openssl dhparam 2048``.\n For other cryptographic keys, these keys and certificates need to be\n regenerated. TLS Security level can be temporarily lowered with\n ``--tls-cert-profile legacy`` or even ``--tls-cert-profile insecure``.\n\n- Connecting to a OpenVPN 2.3.x server or allowing OpenVPN 2.3.x or earlier\n clients\n\n This will normally result in messages like::\n\n OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.\n\n or\n\n client/127.0.0.1:49954 SENT CONTROL [client]: 'AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)' (status=1)\n\n You can manually add the missing cipher to the ``--data-ciphers``. The\n standard ciphers should be included as well, e.g.\n ``--data-ciphers AES-256-GCM:AES-128-GCM:?Chacha20-Poly1305:?AES-128-CBC``.\n You can also use the ``--compat-mode`` option. Note that these message may\n also indicate other cipher configuration problems. See the data channel\n cipher negotiation manual section for more details. (Available online under\n https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst)\n\n- Use of a legacy or deprecated cipher (e.g. 64bit block ciphers)\n\n OpenSSL 3.0 no longer supports a number of insecure and outdated ciphers in\n its default configuration. Some of these ciphers are known to be vulnerable (SWEET32 attack).\n\n This will typically manifest itself in messages like::\n\n OpenSSL: error:0308010C:digital envelope routines::unsupported\n Cipher algorithm 'BF-CBC' not found\n Unsupported cipher in --data-ciphers: BF-CBC\n\n If your OpenSSL distribution comes with the legacy provider (see\n also ``man OSSL_PROVIDER-legacy``), you can load it with\n ``--providers legacy default``. This will re-enable the old algorithms.\n\n- OpenVPN version not supporting TLS 1.2 or later\n\n The default in OpenVPN 2.6 and also in many distributions is now TLS 1.2 or\n later. Connecting to a peer that does not support this will results in\n messages like::\n\n TLS error: Unsupported protocol. This typically indicates that client and\n server have no common TLS version enabled. This can be caused by mismatched\n tls-version-min and tls-version-max options on client and server. If your\n OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0\n to the client configuration to use TLS 1.0+ instead of TLS 1.0 only\n OpenSSL: error:0A000102:SSL routines::unsupported protocol\n\n This can be an OpenVPN 2.3.6 or earlier version. ``compat-version 2.3.0`` will\n enable TLS 1.0 support if supported by the OpenSSL distribution. Note that\n on some Linux distributions enabling TLS 1.1 or 1.0 is not possible.\n\n\n\nOverview of changes in 2.5\n==========================\n\nNew features\n------------\nClient-specific tls-crypt keys (``--tls-crypt-v2``)\n ``tls-crypt-v2`` adds the ability to supply each client with a unique\n tls-crypt key. This allows large organisations and VPN providers to profit\n from the same DoS and TLS stack protection that small deployments can\n already achieve using ``tls-auth`` or ``tls-crypt``.\n\nChaCha20-Poly1305 cipher support\n Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data\n channel.\n\nImproved Data channel cipher negotiation\n The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.\n The old name is still accepted. The change in name signals that\n ``data-ciphers`` is the preferred way to configure data channel\n ciphers and the data prefix is chosen to avoid the ambiguity that\n exists with ``--cipher`` for the data cipher and ``tls-cipher``\n for the TLS ciphers.\n\n OpenVPN clients will now signal all supported ciphers from the\n ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN\n servers will select the first common cipher from the ``data-ciphers``\n list instead of blindly pushing the first cipher of the list. This\n allows to use a configuration like\n ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that\n prefers ChaCha20-Poly1305 but uses it only if the client supports it.\n\n See the data channel negotiation section in the manual for more details.\n\nRemoval of BF-CBC support in default configuration:\n By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as\n data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when\n no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be\n enabled by adding\n\n data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC\n\n and when you need to support very old peers also\n\n data-ciphers-fallback BF-CBC\n\n To offer backwards compatibility with older configs an *explicit*\n\n cipher BF-CBC\n\n in the configuration will be automatically translated into adding BF-CBC\n to the data-ciphers option and setting data-ciphers-fallback to BF-CBC\n (as in the example commands above). We strongly recommend to switching\n away from BF-CBC to a more secure cipher.\n\nAsynchronous (deferred) authentication support for auth-pam plugin.\n See src/plugins/auth-pam/README.auth-pam for details.\n\nDeferred client-connect\n The ``--client-connect`` option and the connect plugin API allow\n asynchronous/deferred return of the configuration file in the same way\n as the auth-plugin.\n\nFaster connection setup\n A client will signal in the ``IV_PROTO`` variable that it is in pull\n mode. This allows the server to push the configuration options to\n the client without waiting for a ``PULL_REQUEST`` message. The feature\n is automatically enabled if both client and server support it and\n significantly reduces the connection setup time by avoiding one\n extra packet round-trip and 1s of internal event delays.\n\nNetlink support\n On Linux, if configured without ``--enable-iproute2``, configuring IP\n addresses and adding/removing routes is now done via the netlink(3)\n kernel interface. This is much faster than calling ``ifconfig`` or\n ``route`` and also enables OpenVPN to run with less privileges.\n\n If configured with --enable-iproute2, the ``ip`` command is used\n (as in 2.4). Support for ``ifconfig`` and ``route`` is gone.\n\nWintun support\n On Windows, OpenVPN can now use ``wintun`` devices. They are faster\n than the traditional ``tap9`` tun/tap devices, but do not provide\n ``--dev tap`` mode - so the official installers contain both. To use\n a wintun device, add ``--windows-driver wintun`` to your config\n (and use of the interactive service is required as wintun needs\n SYSTEM privileges to enable access).\n\nIPv6-only operation\n It is now possible to have only IPv6 addresses inside the VPN tunnel,\n and IPv6-only address pools (2.4 always required IPv4 config/pools\n and IPv6 was the \"optional extra\").\n\nImproved Windows 10 detection\n Correctly log OS on Windows 10 now.\n\nLinux VRF support\n Using the new ``--bind-dev`` option, the OpenVPN outside socket can\n now be put into a Linux VRF. See the \"Virtual Routing and Forwarding\"\n documentation in the man page.\n\nTLS 1.3 support\n TLS 1.3 support has been added to OpenVPN. Currently, this requires\n OpenSSL 1.1.1+.\n The options ``--tls-ciphersuites`` and ``--tls-groups`` have been\n added to fine tune TLS protocol options. Most of the improvements\n were also backported to OpenVPN 2.4 as part of the maintainance\n releases.\n\nSupport setting DHCP search domain\n A new option ``--dhcp-option DOMAIN-SEARCH my.example.com`` has been\n defined, and Windows support for it is implemented (tun/tap only, no\n wintun support yet). Other platforms need to support this via ``--up``\n script (Linux) or GUI (OSX/Tunnelblick).\n\nper-client changing of ``--data-ciphers`` or ``data-ciphers-fallback``\n from client-connect script/dir (NOTE: this only changes preference of\n ciphers for NCP, but can not override what the client announces as\n \"willing to accept\")\n\nHandle setting of tun/tap interface MTU on Windows\n If IPv6 is in use, MTU must be >= 1280 (Windows enforces IETF requirements)\n\nAdd support for OpenSSL engines to access private key material (like TPM).\n\nHMAC based auth-token support\n The ``--auth-gen-token`` support has been improved and now generates HMAC\n based user token. If the optional ``--auth-gen-token-secret`` option is\n used clients will be able to seamlessly reconnect to a different server\n using the same secret file or to the same server after a server restart.\n\nImproved support for pending authentication\n The protocol has been enhanced to be able to signal that\n the authentication should use a secondary authentication\n via web (like SAML) or a two factor authentication without\n disconnecting the OpenVPN session with AUTH_FAILED. The\n session will instead be stay in a authenticated state and\n wait for the second factor authentication to complete.\n\n This feature currently requires usage of the managent interface\n on both client and server side. See the ``management-notes.txt``\n ``client-pending-auth`` and ``cr-response`` commands for more\n details.\n\nVLAN support\n OpenVPN servers in TAP mode can now use 802.1q tagged VLANs\n on the TAP interface to separate clients into different groups\n that can then be handled differently (different subnets / DHCP,\n firewall zones, ...) further down the network. See the new\n options ``--vlan-tagging``, ``--vlan-accept``, ``--vlan-pvid``.\n\n 802.1q tagging on the client side TAP interface is not handled\n today (= tags are just forwarded transparently to the server).\n\nSupport building of .msi installers for Windows\n\nAllow unicode search string in ``--cryptoapicert`` option (Windows)\n\nSupport IPv4 configs with /31 netmasks now\n (By no longer trying to configure ``broadcast x.x.x.x`` in\n ifconfig calls, /31 support \"just works\")\n\nNew option ``--block-ipv6`` to reject all IPv6 packets (ICMPv6)\n this is useful if the VPN service has no IPv6, but the clients\n might have (LAN), to avoid client connections to IPv6-enabled\n servers leaking \"around\" the IPv4-only VPN.\n\n``--ifconfig-ipv6`` and ``--ifconfig-ipv6-push`` will now accept\n hostnames and do a DNS lookup to get the IPv6 address to use\n\n\nDeprecated features\n-------------------\nFor an up-to-date list of all deprecated options, see this wiki page:\nhttps://community.openvpn.net/openvpn/wiki/DeprecatedOptions\n\n- ``ncp-disable`` has been deprecated\n With the improved and matured data channel cipher negotiation, the use\n of ``ncp-disable`` should not be necessary anymore.\n\n- ``inetd`` has been deprecated\n This is a very limited and not-well-tested way to run OpenVPN, on TCP\n and TAP mode only, which complicates the code quite a bit for little gain.\n To be removed in OpenVPN 2.6 (unless users protest).\n\n- ``no-iv`` has been removed\n This option was made into a NOOP option with OpenVPN 2.4. This has now\n been completely removed.\n\n- ``--client-cert-not-required`` has been removed\n This option will now cause server configurations to not start. Use\n ``--verify-client-cert none`` instead.\n\n- ``--ifconfig-pool-linear`` has been removed\n This option is removed. Use ``--topology p2p`` or ``--topology subnet``\n instead.\n\n- ``--compress xxx`` is considered risky and is warned against, see below.\n\n- ``--key-method 1`` has been removed\n\n\nUser-visible Changes\n--------------------\n- If multiple connect handlers are used (client-connect, ccd, connect\n plugin) and one of the handler succeeds but a subsequent fails, the\n client-disconnect-script is now called immediately. Previously it\n was called, when the VPN session was terminated.\n\n- Support for building with OpenSSL 1.0.1 has been removed. The minimum\n supported OpenSSL version is now 1.0.2.\n\n- The GET_CONFIG management state is omitted if the server pushes\n the client configuration almost immediately as result of the\n faster connection setup feature.\n\n- ``--compress`` is nowadays considered risky, because attacks exist\n leveraging compression-inside-crypto to reveal plaintext (VORACLE). So\n by default, ``--compress xxx`` will now accept incoming compressed\n packets (for compatibility with peers that have not been upgraded yet),\n but will not use compression outgoing packets. This can be controlled with\n the new option ``--allow-compression yes|no|asym``.\n\n- Stop changing ``--txlen`` aways from OS defaults unless explicitly specified\n in config file. OS defaults nowadays are actually larger then what we used\n to configure, so our defaults sometimes caused packet drops = bad performance.\n\n- remove ``--writepid`` pid file on exit now\n\n- plugin-auth-pam now logs via OpenVPN logging method, no longer to stderr\n (this means you'll have log messages in syslog or openvpn log file now)\n\n- use ISO 8601 time format for file based logging now (YYYY-MM-DD hh:mm:dd)\n (syslog is not affected, nor is ``--machine-readable-output``)\n\n- ``--clr-verify`` now loads all CRLs if more than one CRL is in the same\n file (OpenSSL backend only, mbedTLS always did that)\n\n- when ``--auth-user-pass file`` has no password, and the management interface\n is active, query management interface (instead of trying console query,\n which does not work on windows)\n\n- skip expired certificates in Windows certificate store (``--cryptoapicert``)\n\n- ``--socks-proxy`` + ``--proto udp*`` will now allways use IPv4, even if\n IPv6 is requested and available. Our SOCKS code does not handle IPv6+UDP,\n and before that change it would just fail in non-obvious ways.\n\n- TCP listen() backlog queue is now set to 32 - this helps TCP servers that\n receive lots of \"invalid\" connects by TCP port scanners\n\n- do no longer print OCC warnings (\"option mismatch\") about ``key-method``,\n ``keydir``, ``tls-auth`` and ``cipher`` - these are either gone now, or\n negotiated, and the warnings do not serve a useful purpose.\n\n- ``dhcp-option DNS`` and ``dhcp-option DNS6`` are now treated identically\n (= both accept an IPv4 or IPv6 address for the nameserver)\n\n\nMaintainer-visible changes\n--------------------------\n- the man page is now in maintained in .rst format, so building the openvpn.8\n manpage from a git checkout now requires python-docutils (if this is missing,\n the manpage will not be built - which is not considered an error generally,\n but for package builders or ``make distcheck`` it is). Release tarballs\n contain the openvpn.8 file, so unless some .rst is changed, doc-utils are\n not needed for building.\n\n- OCC support can no longer be disabled\n\n- AEAD support is now required in the crypto library\n\n- ``--disable-server`` has been removed from configure (so it is no longer\n possible to build a client-/p2p-only OpenVPN binary) - the saving in code\n size no longer outweighs the extra maintenance effort.\n\n- ``--enable-iproute2`` will disable netlink(3) support, so maybe remove\n that from package building configs (see above)\n\n- support building with MSVC 2019\n\n- cmocka based unit tests are now only run if cmocka is installed externally\n (2.4 used to ship a local git submodule which was painful to maintain)\n\n- ``--disable-crypto`` configure option has been removed. OpenVPN is now always\n built with crypto support, which makes the code much easier to maintain.\n This does not affect ``--cipher none`` to do a tunnel without encryption.\n\n- ``--disable-multi`` configure option has been removed\n\n\n\nOverview of changes in 2.4\n==========================\n\n\nNew features\n------------\nSeamless client IP/port floating\n Added new packet format P_DATA_V2, which includes peer-id. If both the\n server and client support it, the client sends all data packets in\n the new format. When a data packet arrives, the server identifies peer\n by peer-id. If peer's ip/port has changed, server assumes that\n client has floated, verifies HMAC and updates ip/port in internal structs.\n This allows the connection to be immediately restored, instead of requiring\n a TLS handshake before the server accepts packets from the new client\n ip/port.\n\nData channel cipher negotiation\n Data channel ciphers (``--cipher``) are now by default negotiated. If a\n client advertises support for Negotiable Crypto Parameters (NCP), the\n server will choose a cipher (by default AES-256-GCM) for the data channel,\n and tell the client to use that cipher. Data channel cipher negotiation\n can be controlled using ``--ncp-ciphers`` and ``--ncp-disable``.\n\n A more limited version also works in client-to-server and server-to-client\n scenarios where one of the end points uses a v2.4 client or server and the\n other side uses an older version. In such scenarios the v2.4 side will\n change to the ``--cipher`` set by the remote side, if permitted by by\n ``--ncp-ciphers``. For example, a v2.4 client with ``--cipher BF-CBC``\n and ``ncp-ciphers AES-256-GCM:AES-256-CBC`` can connect to both a v2.3\n server with ``cipher BF-CBC`` as well as a server with\n ``cipher AES-256-CBC`` in its config. The other way around, a v2.3 client\n with either ``cipher BF-CBC`` or ``cipher AES-256-CBC`` can connect to a\n v2.4 server with e.g. ``cipher BF-CBC`` and\n ``ncp-ciphers AES-256-GCM:AES-256-CBC`` in its config. For this to work\n it requires that OpenVPN was built without disabling OCC support.\n\nAEAD (GCM) data channel cipher support\n The data channel now supports AEAD ciphers (currently only GCM). The AEAD\n packet format has a smaller crypto overhead than the CBC packet format,\n (e.g. 20 bytes per packet for AES-128-GCM instead of 36 bytes per packet\n for AES-128-CBC + HMAC-SHA1).\n\nECDH key exchange\n The TLS control channel now supports for elliptic curve diffie-hellmann\n key exchange (ECDH).\n\nImproved Certificate Revocation List (CRL) processing\n CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead\n of inside OpenVPN itself. The crypto library implementations are more\n strict than the OpenVPN implementation was. This might reject peer\n certificates that would previously be accepted. If this occurs, OpenVPN\n will log the crypto library's error description.\n\nDualstack round-robin DNS client connect\n Instead of only using the first address of each ``--remote`` OpenVPN\n will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry.\n\nSupport for providing IPv6 DNS servers\n A new DHCP sub-option ``DNS6`` is added alongside with the already existing\n ``DNS`` sub-option. This is used to provide DNS resolvers available over\n IPv6. This may be pushed to clients where `` --up`` scripts and ``--plugin``\n can act upon it through the ``foreign_option_`` environment variables.\n\n Support for the Windows client picking up this new sub-option is added,\n however IPv6 DNS resolvers need to be configured via ``netsh`` which requires\n administrator privileges unless the new interactive services on Windows is\n being used. If the interactive service is used, this service will execute\n ``netsh`` in the background with the proper privileges.\n\nNew improved Windows Background service\n The new OpenVPNService is based on openvpnserv2, a complete rewrite of the OpenVPN\n service wrapper. It is intended for launching OpenVPN instances that should be\n up at all times, instead of being manually launched by a user. OpenVPNService is\n able to restart individual OpenVPN processes if they crash, and it also works\n properly on recent Windows versions. OpenVPNServiceLegacy tends to work poorly,\n if at all, on newer Windows versions (8+) and its use is not recommended.\n\nNew interactive Windows service\n The installer starts OpenVPNServiceInteractive automatically and configures\n it to start\tat system startup.\n\n The interactive Windows service allows unprivileged users to start\n OpenVPN connections in the global config directory (usually\n C:\\\\Program Files\\\\OpenVPN\\\\config) using OpenVPN GUI without any\n extra configuration.\n\n Users who belong to the built-in Administrator group or to the\n local \"OpenVPN Administrator\" group can also store configuration\n files under %USERPROFILE%\\\\OpenVPN\\\\config for use with the\n interactive service.\n\nredirect-gateway ipv6\n OpenVPN has now feature parity between IPv4 and IPv6 for redirect\n gateway including the handling of overlapping IPv6 routes with\n IPv6 remote VPN server address.\n\nLZ4 Compression and pushable compression\n Additionally to LZO compression OpenVPN now also supports LZ4 compression.\n Compression options are now pushable from the server.\n\nFilter pulled options client-side: pull-filter\n New option to explicitly allow or reject options pushed by the server.\n May be used multiple times and is applied in the order specified.\n\nPer-client remove push options: push-remove\n New option to remove options on a per-client basis from the \"push\" list\n (more fine-grained than ``--push-reset``).\n\nHttp proxy password inside config file\n Http proxy passwords can be specified with the inline file option\n ```` .. ````\n\nWindows version detection\n Windows version is detected, logged and possibly signalled to server\n (IV_PLAT_VER= if ``--push-peer-info`` is set on client).\n\nAuthentication tokens\n In situations where it is not suitable to save user passwords on the client,\n OpenVPN has support for pushing a --auth-token since v2.3. This option is\n pushed from the server to the client with a token value to be used instead\n of the users password. For this to work, the authentication plug-in would\n need to implement this support as well. In OpenVPN 2.4 --auth-gen-token\n is introduced, which will allow the OpenVPN server to generate a random\n token and push it to the client without any changes to the authentication\n modules. When the clients need to re-authenticate the OpenVPN server will\n do the authentication internally, instead of sending the re-authentication\n request to the authentication module . This feature is especially\n useful in configurations which use One Time Password (OTP) authentication\n schemes, as this allows the tunnel keys to be renegotiated regularly without\n any need to supply new OTP codes.\n\nkeying-material-exporter\n Keying Material Exporter [RFC-5705] allow additional keying material to be\n derived from existing TLS channel.\n\nAndroid platform support\n Support for running on Android using Android's VPNService API has been added.\n See doc/android.txt for more details. This support is primarily used in\n the OpenVPN for Android app (https://github.com/schwabe/ics-openvpn)\n\nAIX platform support\n AIX platform support has been added. The support only includes tap\n devices since AIX does not provide tun interface.\n\nControl channel encryption (``--tls-crypt``)\n Use a pre-shared static key (like the ``--tls-auth`` key) to encrypt control\n channel packets. Provides more privacy, some obfuscation and poor-man's\n post-quantum security.\n\nAsynchronous push reply\n Plug-ins providing support for deferred authentication can benefit from a more\n responsive authentication where the server sends PUSH_REPLY immediately once\n the authentication result is ready, instead of waiting for the client to\n to send PUSH_REQUEST once more. This requires OpenVPN to be built with\n ``./configure --enable-async-push``. This is a compile-time only switch.\n\n\nDeprecated features\n-------------------\nFor an up-to-date list of all deprecated options, see this wiki page:\nhttps://community.openvpn.net/openvpn/wiki/DeprecatedOptions\n\n- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.\n Migrate away from ``--key-method 1`` as soon as possible. The recommended\n approach is to remove the ``--key-method`` option from the configuration\n files, OpenVPN will then use ``--key-method 2`` by default. Note that this\n requires changing the option in both the client and server side configs.\n\n- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3\n man-pages. Similar functionality is provided via ``--verify-x509-name``,\n which does the same job in a better way.\n\n- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3\n and will be removed in v2.5. All scripts and plug-ins depending on the old\n non-standard X.509 subject formatting must be updated to the standardized\n formatting. See the man page for more information.\n\n- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.\n\n- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6\n together with the support of ciphers with cipher block size less than\n 128-bits.\n\n- ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead.\n\n- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be\n removed in v2.5. Use ``--topology p2p`` instead.\n\n- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed\n in v2.5. Use ``--verify-client-cert none`` for a functional equivalent.\n\n- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4. It will be removed\n in v2.5. Use the far better ``--remote-cert-tls`` option which replaces this\n feature.\n\n\nUser-visible Changes\n--------------------\n- When using ciphers with cipher blocks less than 128-bits,\n OpenVPN will complain loudly if the configuration uses ciphers considered\n weak, such as the SWEET32 attack vector. In such scenarios, OpenVPN will by\n default renegotiate for each 64MB of transported data (``--reneg-bytes``).\n This renegotiation can be disabled, but is HIGHLY DISCOURAGED.\n\n- For certificate DNs with duplicate fields, e.g. \"OU=one,OU=two\", both fields\n are now exported to the environment, where each second and later occurrence\n of a field get _$N appended to it's field name, starting at N=1. For the\n example above, that would result in e.g. X509_0_OU=one, X509_0_OU_1=two.\n Note that this breaks setups that rely on the fact that OpenVPN would\n previously (incorrectly) only export the last occurrence of a field.\n\n- ``proto udp`` and ``proto tcp`` now use both IPv4 and IPv6. The new\n options ``proto udp4`` and ``proto tcp4`` use IPv4 only.\n\n- ``--sndbuf`` and ``--recvbuf`` default now to OS defaults instead of 64k\n\n- OpenVPN exits with an error if an option has extra parameters;\n previously they were silently ignored\n\n- ``--tls-auth`` always requires OpenVPN static key files and will no\n longer work with free form files\n\n- ``--proto udp6/tcp6`` in server mode will now try to always listen to\n both IPv4 and IPv6 on platforms that allow it. Use ``--bind ipv6only``\n to explicitly listen only on IPv6.\n\n- Removed ``--enable-password-save`` from configure. This option is now\n always enabled.\n\n- Stricter default TLS cipher list (override with ``--tls-cipher``), that now\n also disables:\n\n * Non-ephemeral key exchange using static (EC)DH keys\n * DSS private keys\n\n- mbed TLS builds: changed the tls_digest_N values exported to the script\n environment to be equal to the ones exported by OpenSSL builds, namely\n the certificate fingerprint (was the hash of the 'to be signed' data).\n\n- mbed TLS builds: minimum RSA key size is now 2048 bits. Shorter keys will\n not be accepted, both local and from the peer.\n\n- ``--connect-timeout`` now specifies the timeout until the first TLS packet\n is received (identical to ``--server-poll-timeout``) and this timeout now\n includes the removed socks proxy timeout and http proxy timeout.\n\n In ``--static`` mode ``connect-timeout`` specifies the timeout for TCP and\n proxy connection establishment\n\n- ``--connect-retry-max`` now specifies the maximum number of unsuccessful\n attempts of each remote/connection entry before exiting.\n\n- ``--http-proxy-timeout`` and the static non-changeable socks timeout (5s)\n have been folded into a \"unified\" ``--connect-timeout`` which covers all\n steps needed to connect to the server, up to the start of the TLS exchange.\n The default value has been raised to 120s, to handle slow http/socks\n proxies graciously. The old \"fail TCP fast\" behaviour can be achieved by\n adding \"``--connect-timeout 10``\" to the client config.\n\n- ``--http-proxy-retry`` and ``--sock-proxy-retry`` have been removed. Proxy connections\n will now behave like regular connection entries and generate a USR1 on failure.\n\n- ``--connect-retry`` gets an optional second argument that specifies the maximum\n time in seconds to wait between reconnection attempts when an exponential\n backoff is triggered due to repeated retries. Default = 300 seconds.\n\n- Data channel cipher negotiation (see New features section) can override\n ciphers configured in the config file. Use ``--ncp-disable`` if you do not want\n this behavior.\n\n- All tun devices on all platforms are always considered to be IPv6\n capable. The ``--tun-ipv6`` option is ignored (behaves like it is always\n on).\n\n- On the client side recursively routed packets, which have the same destination\n as the VPN server, are dropped. This can be disabled with\n --allow-recursive-routing option.\n\n- On Windows, when the ``--register-dns`` option is set, OpenVPN no longer\n restarts the ``dnscache`` service - this had unwanted side effects, and\n seems to be no longer necessary with currently supported Windows versions.\n\n- If no flags are given, and the interactive Windows service is used, \"def1\"\n is implicitly set (because \"delete and later reinstall the existing\n default route\" does not work well here). If not using the service,\n the old behaviour is kept.\n\n- OpenVPN now reloads a CRL only if the modication time or file size has\n changed, instead of for each new connection. This reduces the connection\n setup time, in particular when using large CRLs.\n\n- OpenVPN now ships with more up-to-date systemd unit files which take advantage\n of the improved service management as well as some hardening steps. The\n configuration files are picked up from the /etc/openvpn/server/ and\n /etc/openvpn/client/ directories (depending on unit file). This also avoids\n these new unit files and how they work to collide with older pre-existing\n unit files.\n\n- Using ``--no-iv`` (which is generally not a recommended setup) will\n require explicitly disabling NCP with ``--disable-ncp``. This is\n intentional because NCP will by default use AES-GCM, which requires\n an IV - so we want users of that option to consciously reconsider.\n\n\nMaintainer-visible changes\n--------------------------\n- OpenVPN no longer supports building with crypto support, but without TLS\n support. As a consequence, OPENSSL_CRYPTO_{CFLAGS,LIBS} and\n OPENSSL_SSL_{CFLAGS,LIBS} have been merged into OPENSSL_{CFLAGS,LIBS}. This\n is particularly relevant for maintainers who build their own OpenSSL library,\n e.g. when cross-compiling.\n\n- Linux distributions using systemd is highly encouraged to ship these new unit\n files instead of older ones, to provide a unified behaviour across systemd\n based Linux distributions.\n\n- With OpenVPN 2.4, the project has moved over to depend on and actively use\n the official C99 standard (-std=c99). This may fail on some older compiler/libc\n header combinations. In most of these situations it is recommended to\n use -std=gnu99 in CFLAGS. This is known to be needed when doing\n i386/i686 builds on RHEL5.\n\n\nVersion 2.4.5\n=============\n\nNew features\n------------\n- The new option ``--tls-cert-profile`` can be used to restrict the set of\n allowed crypto algorithms in TLS certificates in mbed TLS builds. The\n default profile is 'legacy' for now, which allows SHA1+, RSA-1024+ and any\n elliptic curve certificates. The default will be changed to the 'preferred'\n profile in the future, which requires SHA2+, RSA-2048+ and any curve.\n\n\nVersion 2.4.3\n=============\n\nNew features\n------------\n- Support building with OpenSSL 1.1 now (in addition to older versions)\n\n- On Win10, set low interface metric for TAP adapter when block-outside-dns\n is in use, to make Windows prefer the TAP adapter for DNS queries\n (avoiding large delays)\n\n\nSecurity\n--------\n- CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS\n A client could crash a v2.4+ mbedtls server, if that server uses the\n ``--x509-track`` option and the client has a correct, signed and unrevoked\n certificate that contains an embedded NUL in the certificate subject.\n Discovered and reported to the OpenVPN security team by Guido Vranken.\n\n- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks\n A client could cause a server to leak a few bytes each time it connects to the\n server. That can eventually cause the server to run out of memory, and thereby\n causing the server process to terminate. Discovered and reported to the\n OpenVPN security team by Guido Vranken. (OpenSSL builds only.)\n\n- CVE-2017-7521: Fix a potential post-authentication remote code execution\n attack on servers that use the ``--x509-username-field`` option with an X.509\n extension field (option argument prefixed with ``ext:``). A client that can\n cause a server to run out-of-memory (see above) might be able to cause the\n server to double free, which in turn might lead to remote code execution.\n Discovered and reported to the OpenVPN security team by Guido Vranken.\n (OpenSSL builds only.)\n\n- CVE-2017-7520: Pre-authentication remote crash/information disclosure for\n clients. If clients use a HTTP proxy with NTLM authentication (i.e.\n ``--http-proxy [|'auto'|'auto-nct'] ntlm2``),\n a man-in-the-middle attacker between the client and the proxy can cause\n the client to crash or disclose at most 96 bytes of stack memory. The\n disclosed stack memory is likely to contain the proxy password. If the\n proxy password is not reused, this is unlikely to compromise the security\n of the OpenVPN tunnel itself. Clients who do not use the ``--http-proxy``\n option with ntlm2 authentication are not affected.\n\n- CVE-2017-7508: Fix remotely-triggerable ASSERT() on malformed IPv6 packet.\n This can be used to remotely shutdown an openvpn server or client, if\n IPv6 and ``--mssfix`` are enabled and the IPv6 networks used inside the VPN\n are known.\n\n- Fix null-pointer dereference when talking to a malicious http proxy\n that returns a malformed ``Proxy-Authenticate:`` headers for digest auth.\n\n- Fix overflow check for long ``--tls-cipher`` option\n\n- Windows: Pass correct buffer size to ``GetModuleFileNameW()``\n (OSTIF/Quarkslabs audit, finding 5.6)\n\n\nUser-visible Changes\n--------------------\n- ``--verify-hash`` can now take an optional flag which changes the hashing\n algorithm. It can be either SHA1 or SHA256. The default if not provided is\n SHA1 to preserve backwards compatibility with existing configurations.\n\n- Restrict the supported ``--x509-username-field`` extension fields to subjectAltName\n and issuerAltName. Other extensions probably didn't work anyway, and would\n cause OpenVPN to crash when a client connects.\n\n\nBugfixes\n--------\n- Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS users\n of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the\n ``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change\n the fingerprint values they check against. The security impact of the\n incorrect calculation is very minimal; the last few bytes (max 4, typically\n 4) are not verified by the fingerprint. We expect no real-world impact,\n because users that used this feature before will notice that it has suddenly\n stopped working, and users that didn't will notice that connection setup\n fails if they specify correct fingerprints.\n\n- Fix edge case with NCP when the server sends an empty PUSH_REPLY message\n back, and the client would not initialize it's data channel crypto layer\n properly (trac #903)\n\n- Fix SIGSEGV on unaligned buffer access on OpenBSD/Sparc64\n\n- Fix TCP_NODELAY on OpenBSD\n\n- Remove erroneous limitation on max number of args for ``--plugin``\n\n- Fix NCP behaviour on TLS reconnect (Server would not send a proper\n \"cipher ...\" message back to the client, leading to client and server\n using different ciphers) (trac #887)\n\n\nVersion 2.4.2\n=============\n\nBugfixes\n--------\n- Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is\n used, we leaked some memory on each TLS (re)negotiation.\n\n\nSecurity\n--------\n- Fix a pre-authentication denial-of-service attack on both clients and\n servers. By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can\n be forced to hit an ASSERT() and stop the process. If ``--tls-auth`` or\n ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or\n ``--tls-crypt`` key can mount an attack.\n (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)\n\n- Fix an authenticated remote DoS vulnerability that could be triggered by\n causing a packet id roll over. An attack is rather inefficient; a peer\n would need to get us to send at least about 196 GB of data.\n (OSTIF/Quarkslab audit finding 5.2, CVE-2017-7479)\n\n\nVersion 2.4.1\n=============\n- ``--remote-cert-ku`` now only requires the certificate to have at least the\n bits set of one of the values in the supplied list, instead of requiring an\n exact match to one of the values in the list.\n- ``--remote-cert-tls`` now only requires that a keyUsage is present in the\n certificate, and leaves the verification of the value up to the crypto\n library, which has more information (i.e. the key exchange method in use)\n to verify that the keyUsage is correct.\n- ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead.\n The nsCertType x509 extension is very old, and barely used.\n ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage\n extension instead. Make sure your certificates carry these to be able to\n use ``--remote-cert-tls``.\n\n" }, { "path": "INSTALL", "content": "Installation instructions for OpenVPN, a Secure Tunneling Daemon\n\nCopyright (C) 2002-2022 OpenVPN Inc. This program is free software;\nyou can redistribute it and/or modify\nit under the terms of the GNU General Public License version 2\nas published by the Free Software Foundation.\n\n*************************************************************************\n\nQUICK START:\n\n Unix:\n ./configure && make && make install\n\n*************************************************************************\n\nTo download OpenVPN source code of releases, go to:\n\n https://openvpn.net/community-downloads/\n\nOpenVPN releases are also available as Debian/RPM packages:\n\n https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos\n\nOpenVPN development versions can be found here:\n\n https://github.com/OpenVPN/openvpn\n https://gitlab.com/OpenVPN/openvpn\n https://sourceforge.net/p/openvpn/openvpn/ci/master/tree/\n\nThey should all be in sync at any time.\n\nTo download easy-rsa go to:\n\n https://github.com/OpenVPN/easy-rsa\n\nTo download tap-windows (NDIS 6) driver source code go to:\n\n https://github.com/OpenVPN/tap-windows6\n\nTo download ovpn-dco Windows driver source code go to:\n\n https://github.com/OpenVPN/ovpn-dco-win\n\nTo get the cross-compilation environment go to:\n\n https://github.com/OpenVPN/openvpn-build\n\nFor step-by-step instructions with real-world examples see:\n\n https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN\n https://community.openvpn.net/openvpn/wiki\n https://openvpn.net/community-resources/\n\nAlso see the man page for more information.\n\n*************************************************************************\n\nFor a list of supported platforms and architectures, and for\ninstructions how to port OpenVPN to a yet-unsupported architecture,\nsee the file \"PORTS\".\n\n*************************************************************************\n\nSYSTEM REQUIREMENTS:\n (1) TUN and/or TAP driver to allow user-space programs to control\n a virtual point-to-point IP or Ethernet device.\n See TUN/TAP Driver References section below for more info.\n (2a) OpenSSL library, necessary for encryption, version 1.1.0 or higher\n required, available from https://www.openssl.org/\n or\n (2b) mbed TLS library, an alternative for encryption, version 2.0 or higher\n required, available from https://tls.mbed.org/\n (3) on Linux, \"libnl-gen\" is required for kernel netlink support\n (4) on Linux, \"libcap-ng\" is required for Linux capability handling\n\nOPTIONAL:\n (5) LZO real-time compression library, required for link compression,\n available from https://www.oberhumer.com/opensource/lzo/\n (most supported operating systems have LZO in their installable\n packages repository. It might be necessary to add LZO_CFLAGS=\n and LZO_LIBS= to the configure call to make it find the LZO pieces)\n (6) LZ4 compression library\n\nOPTIONAL (for developers only):\n (1) Autoconf 2.59 or higher\n Automake 1.9 or higher\n Libtool\n Git\n (2) cmocka test framework (https://cmocka.org)\n (3) If using t_client.sh test framework, fping/fping6 is needed\n Note: t_client.sh needs an external configured OpenVPN server.\n See t_client.rc-sample for more info.\n\n*************************************************************************\n\nCHECK OUT SOURCE FROM SOURCE REPOSITORY:\n\n Clone the repository:\n\n git clone https://github.com/OpenVPN/openvpn\n git clone https://gitlab.com/OpenVPN/openvpn\n git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn\n\n Check out stable version:\n\n git checkout release/2.6\n\n Check out master (unstable) branch:\n\n git checkout master\n\n\n*************************************************************************\n\nBUILD COMMANDS FROM TARBALL:\n\n\t./configure\n\tmake\n\tsudo make install\n\n*************************************************************************\n\nBUILD COMMANDS FROM SOURCE REPOSITORY CHECKOUT:\n\n\tautoreconf -i -v -f\n\t./configure\n\tmake\n\tsudo make install\n\n*************************************************************************\n\nBUILD A TARBALL FROM SOURCE REPOSITORY CHECKOUT:\n\n\tautoreconf -i -v -f\n\t./configure\n\tmake distcheck\n\n*************************************************************************\n\nTESTS (after BUILD):\n\nmake check (Run all tests below)\n\nTest Crypto:\n\n./openvpn --genkey secret key\n./openvpn --test-crypto --secret key\n\nTest SSL/TLS negotiations (runs for 2 minutes):\n\n./openvpn --config sample/sample-config-files/loopback-client (In one window)\n./openvpn --config sample/sample-config-files/loopback-server (Simultaneously in another window)\n\nFor more thorough client-server tests you can configure your own, private test\nenvironment. See tests/t_client.rc-sample for details.\n\nTo do the C unit tests, you need to have the \"cmocka\" test framework\ninstalled on your system. More recent distributions already ship this\nas part of their packages/ports. If your system does not have it,\nyou can install cmocka with these commands:\n\n $ git clone https://git.cryptomilk.org/projects/cmocka.git\n $ cd cmocka\n $ mkdir build\n $ cd build\n $ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Debug ..\n $ make\n $ sudo make install\n\n\n*************************************************************************\n\nOPTIONS for ./configure:\n\n To get an overview of all the configure options, run \"./configure --help\"\n\nENVIRONMENT for ./configure:\n\n For more fine-grained control on include + library paths for external\n components etc., configure can be called with environment variables on\n the command line, e.g.\n\n ./configure OPENSSL_CFLAGS=\"-I/usr/local/include\" ...\n\n these are also explained in \"./configure --help\", so not repeated here.\n\n*************************************************************************\n\nLinux distribution packaging:\n\nEach Linux distribution has their own way of doing packaging and their\nown set of guidelines of how proper packaging should be done. It\nis therefore recommended to reach out to the Linux distributions you\nwant to have OpenVPN packaged for directly. The OpenVPN project wants\nto focus more on the OpenVPN development and less on the packaging\nand how packaging is done in all various distributions.\n\nFor more details:\n\n* Arch Linux\n https://www.archlinux.org/packages/?name=openvpn\n\n* Debian\n https://packages.debian.org/search?keywords=openvpn&searchon=names\n https://tracker.debian.org/pkg/openvpn\n\n* Fedora / Fedora EPEL (Red Hat Enterprise Linux/CentOS/Scientific Linux)\n https://apps.fedoraproject.org/packages/openvpn/overview/\n https://src.fedoraproject.org/rpms/openvpn\n\n* Gentoo\n https://packages.gentoo.org/packages/net-vpn/openvpn\n https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/openvpn\n\n* openSUSE\n https://build.opensuse.org/package/show/network:vpn/openvpn\n\n* Ubuntu\n https://packages.ubuntu.com/search?keywords=openvpn\n\nIn addition, the OpenVPN community provides best-effort package\nrepositories for CentOS/Fedora, Debian and Ubuntu:\nhttps://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos\n\n*************************************************************************\n\nTUN/TAP Driver References:\n\n* Linux 2.6 or higher (with integrated TUN/TAP driver):\n\n (1) load driver: modprobe tun\n (2) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward\n\n Note that (1) needs to be done once per reboot. If you install from RPM (see\n above) and use the openvpn.init script, these steps are taken care of for you.\n\n* FreeBSD:\n\n FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,\n tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.\n\n On FreeBSD versions prior to 12.0-RELEASE, there were independent\n TUN and TAP drivers, and the TAP driver needed to be loaded manually,\n using the command:\n\n\t# kldload if_tap\n\n For recent FreeBSD versions, TUN/TAP are integrated and always loaded.\n\n FreeBSD 14 contains the ovpn(4) for kernel-level OpenVPN acceleration\n (DCO) which will be used by OpenVPN 2.6 and up if available.\n\n* OpenBSD:\n\n OpenBSD has dynamically created tun* devices so you only need\n to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun\n you plan to use to create the device(s) at boot.\n\n* Solaris:\n\n You need a TUN/TAP kernel driver for OpenVPN to work:\n\n https://web.archive.org/web/20250504214754/http://www.whiteboard.ne.jp/~admin2/tuntap/\n\n* Haiku:\n\n Haiku can't yet dynamically create TUN/TAP devices, so you need to manually\n create one before running openvpn:\n\n # ifconfig tun/0 up\n\n A standard reference the dev as \"tun\" in your config is all that's needed\n to use the tunnel device.\n\n* Windows\n\n OpenVPN on Windows needs a TUN/TAP kernel driver to work. OpenVPN installers\n include this driver, so installing it separately is not usually required.\n\n Starting from Windows 10 2004 / Windows Server 2022, OpenVPN can use the\n dco-win driver for kernel-level acceleration for OpenVPN client setups.\n This driver is also included in the community-provided OpenVPN installers.\n\n*************************************************************************\n\nCAVEATS & BUGS:\n\n* See the bug tracker on https://github.com/OpenVPN/openvpn/issues\n and the wiki on https://community.openvpn.net/wiki for more detailed\n caveats on operating systems, and for open and resolved bug reports.\n* Note: We only recently switched to GitHub for reporting new issues,\n old issues can be found at https://community.openvpn.net/openvpn/report\n" }, { "path": "Makefile.am", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2002-2026 OpenVPN Inc \n# Copyright (C) 2010-2026 David Sommerseth \n# Copyright (C) 2006-2012 Alon Bar-Lev \n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License along\n# with this program; if not, see .\n#\n\nACLOCAL_AMFLAGS = -I m4\n\nMAINTAINERCLEANFILES = \\\n\tconfig.log config.status \\\n\t$(srcdir)/Makefile.in \\\n\t$(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \\\n\t$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \\\n\t$(srcdir)/m4/libtool.m4 $(srcdir)/m4/lt~obsolete.m4 \\\n\t$(srcdir)/m4/ltoptions.m4 $(srcdir)/m4/ltsugar.m4 \\\n\t$(srcdir)/m4/ltversion.m4 \\\n\t$(srcdir)/depcomp $(srcdir)/aclocal.m4 \\\n\t$(srcdir)/config.guess $(srcdir)/config.sub\n\nCLEANFILES = \\\n\tconfig-version.h tests/t_client.sh\n\nEXTRA_DIST = \\\n\tcontrib \\\n\tdebug \\\n\tltrc.inc \\\n\tCMakeLists.txt \\\n\tCMakePresets.json \\\n\tconfig.h.cmake.in \\\n\tforked-test-driver\n\n.PHONY: config-version.h doxygen\n\nif GIT_CHECKOUT\nBUILT_SOURCES = \\\n\tconfig-version.h\nendif\n\nSUBDIRS = distro include src sample doc tests\n\ndist_doc_DATA = \\\n\tREADME \\\n\tREADME.mbedtls \\\n\tChanges.rst \\\n\tCOPYRIGHT.GPL \\\n\tCOPYING\n\ndist_noinst_DATA = \\\n\t.gitignore \\\n\t.gitattributes \\\n\tCONTRIBUTING.rst \\\n\tPORTS \\\n\tREADME.cmake.md \\\n\tREADME.dco.md \\\n\tREADME.ec \\\n\tREADME.wolfssl\n\nconfig-version.h:\n\t@CONFIGURE_GIT_CHFILES=\"`$(GIT) -C \\\"$(top_srcdir)\\\" diff-files --name-status -r --ignore-submodules --quiet -- || echo \\\"+\\\"`\"; \\\n\tCONFIGURE_GIT_UNCOMMITTED=\"`$(GIT) -C \\\"$(top_srcdir)\\\" diff-index --cached --quiet --ignore-submodules HEAD || echo \\\"*\\\"`\"; \\\n\tCONFIGURE_GIT_REVISION=\"`$(GIT) -C \\\"$(top_srcdir)\\\" rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`$(GIT) -C \\\"$(top_srcdir)\\\" rev-parse --short=16 HEAD`\"; \\\n\techo \"#define CONFIGURE_GIT_REVISION \\\"$${CONFIGURE_GIT_REVISION}\\\"\" > config-version.h.tmp; \\\n\techo \"#define CONFIGURE_GIT_FLAGS \\\"$${CONFIGURE_GIT_CHFILES}$${CONFIGURE_GIT_UNCOMMITTED}\\\"\" >> config-version.h.tmp\n\n\t@if ! [ -f config-version.h ] || ! cmp -s config-version.h.tmp config-version.h; then \\\n\t\techo \"replacing config-version.h\"; \\\n\t\tmv config-version.h.tmp config-version.h; \\\n\telse \\\n\t\trm -f config-version.h.tmp; \\\n\tfi\n\ndoxygen:\n\t$(MAKE) -C doc/doxygen doxygen\n" }, { "path": "NEWS", "content": "" }, { "path": "PORTS", "content": "OpenVPN\nCopyright (C) 2002-2026 OpenVPN Inc \n\n OpenVPN has been written to try to avoid features\n that are not standardized well across different\n OSes, so porting OpenVPN itself will probably be\n straightforward if a tun or tap driver already exists.\n\n Where special OS features are used, they are usually\n bracketed with #ifdef HAVE_SOME_FUNCTION.\n\nPLATFORM STATUS:\n\nTier 1 platforms - actively tested for every source commit, across\nmultiple operating system versions\n\n * Windows 7 and newer\n * Windows Server 2012 and newer\n * Linux\n * FreeBSD\n * macOS\n\nTier 2 platforms - it worked at some point, but is not actively tested\non \"latest OS, latest OS libraries\" so might break if larger changes\nare done on the platform side\n\n * OpenBSD\n * NetBSD\n * DragonFly BSD\n * Solaris\n * AIX\n\nFor underlying CPU architecture, everything 32 bit or 64 bit (Intel, AMD,\nARM, PowerPC, SPARC*) should work fine. 16 bit Architectures are unlikely\nto work.\n\n\nPORTING GUIDELINE TO A NEW PLATFORM:\n\n * Make sure that OpenSSL will build on your\n platform.\n * Make sure that a tun or tap virtual device\n driver exists for your platform. See\n https://vtun.sourceforge.net/tun/ for examples\n of tun and tap drivers that have been written\n for Linux, Solaris, and FreeBSD.\n * Make sure you have autoconf 2.50+ and\n automake 1.6+.\n * Edit configure.ac, adding platform specific\n config code, and a TARGET_YOUROS define.\n * Add platform-specific includes to syshead.h.\n * Add an #ifdef TARGET_YOUROS to the do_ifconfig()\n function in tun.c to generate a correct \"ifconfig\"\n command for your platform. Note that OpenVPN\n determines the ifconfig path at ./configure time.\n * Possibly add an ifconfig_order() variant for your OS so\n openvpn knows whether to call ifconfig before\n or after tun/tap dev open.\n * Add an #ifdef TARGET_YOUROS block in tun.c and define\n the open_tun, close_tun, read_tun, and write_tun\n functions. If your tun/tap virtual device is\n sufficiently generic, you may be able to use the\n default case.\n * Add appropriate code to route.c to handle\n the route command on your platform. This\n is necessary for the --route option to\n work correctly.\n * After you successfully build OpenVPN, run\n the loopback tests as described in INSTALL.\n * For the next test, confirm that the UDP socket\n functionality is working independently of the\n tun device, by doing something like:\n ./openvpn --remote localhost --verb 9 --ping 1 --dev null\n * Now try with --remote [a real host]\n * Now try with a real tun/tap device, you will\n need to figure out the appropriate ifconfig\n command to use once openvpn has opened the tun/tap\n device.\n * Once you have simple tests working on the tun device,\n try more complex tests such as using TLS mode.\n * Stress test the link by doing ping -f across it.\n * Make sure that packet fragmenting is happening\n correctly by doing a ping -s 2000 or higher.\n * Ensure that OpenVPN on your platform will talk\n to OpenVPN on other platforms such as Linux.\n Some tun/tap driver implementations will prepend\n unnecessary stuff onto the datagram that must be\n disabled with an explicit ioctl call if cross-platform\n compatibility is to be preserved. You can see some\n examples of this in tun.c.\n * Try the ultimate stress test which is --gremlin --reneg-sec 10\n in TLS mode then do a flood ping across the tunnel\n (ping -f remote-endpoint) in both directions and let\n it run overnight. --gremlin will induce massive\n corruption and packet loss, but you win if you\n wake up the next morning and both peers are still\n running and occasionally even succeeding in their\n attempted once-per-10-seconds TLS handshake. \n * When it's working, submit your patch to\n \n and rejoice :)\n" }, { "path": "README", "content": "OpenVPN -- A Secure tunneling daemon\n\nCopyright (C) 2002-2022 OpenVPN Inc. This program is free software;\nyou can redistribute it and/or modify\nit under the terms of the GNU General Public License version 2\nas published by the Free Software Foundation.\n\n*************************************************************************\n\nTo get the latest release of OpenVPN, go to:\n\n\thttps://openvpn.net/community-downloads/\n\nTo Build and Install,\n\n\ttar -zxf openvpn-.tar.gz\n\tcd openvpn-\n\t./configure\n\tmake\n\tmake install\n\nor see the file INSTALL for more info.\n\nFor information on how to build OpenVPN on/for Windows with MinGW\nor MSVC see README.cmake.md.\n\n*************************************************************************\n\nFor detailed information on OpenVPN, including examples, see the man page\n http://openvpn.net/man.html\n\nFor a sample VPN configuration, see\n http://openvpn.net/howto.html\n\nTo report an issue, see\n https://github.com/OpenVPN/openvpn/issues/new\n\nFor a description of OpenVPN's underlying protocol,\n see the file ssl.h included in the source distribution.\n\n*************************************************************************\n\nOther Files & Directories:\n\n* configure.ac -- script to rebuild our configure\n script and makefile.\n\n* sample/sample-scripts/verify-cn\n\n A sample perl script which can be used with OpenVPN's\n --tls-verify option to provide a customized authentication\n test on embedded X509 certificate fields.\n\n* sample/sample-keys/\n\n Sample RSA keys and certificates. DON'T USE THESE FILES\n FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE.\n\n* sample/sample-config-files/\n\n A collection of OpenVPN config files and scripts from\n the HOWTO at http://openvpn.net/howto.html\n\n*************************************************************************\n\nNote that easy-rsa and tap-windows are now maintained in their own subprojects.\nTheir source code is available here:\n\n https://github.com/OpenVPN/easy-rsa\n https://github.com/OpenVPN/tap-windows6\n\nCommunity-provided Windows installers (MSI) and Debian packages are built from\n\n https://github.com/OpenVPN/openvpn-build\n\nSee the INSTALL file for usage information.\n" }, { "path": "README.awslc", "content": "This version of OpenVPN supports AWS-LC (AWS Libcrypto), AWS's open-source cryptographic library.\n\nIf you encounter bugs in OpenVPN while using AWS-LC:\n1. Try compiling OpenVPN with OpenSSL to determine if the issue is specific to AWS-LC\n2. For AWS-LC-specific issues, please report them at: https://github.com/aws/aws-lc\n\nTo build and install OpenVPN with AWS-LC:\n\n OPENSSL_CFLAGS=\"-I/${AWS_LC_INSTALL_FOLDER}/include\" \\\n OPENSSL_LIBS=\"-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto\" \\\n LDFLAGS=\"-Wl,-rpath=${AWS_LC_INSTALL_FOLDER}/lib\" \\\n ./configure --with-crypto-library=openssl\n make\n make install\n\n*************************************************************************\nDue to limitations in AWS-LC, the following features are missing\n* Windows CryptoAPI support\n" }, { "path": "README.cmake.md", "content": "OpenVPN Builds with CMake\n=========================\n\nFor Windows builds we do not use the autotools-based buildsystem that we use\nfor our Unix-like (Linux, BSDs, macOS, etc.) builds. Instead we added a\nseparate (CMake)[https://cmake.org/]-based buildsystem.\n\nThis buildsystem supports building for Windows both with MSVC (i.e. Visual\nStudio) and MinGW. MinGW builds are also supported as cross-compile\nfrom Linux.\n\nThe official builds, which are also available as CMake presets (see\n`cmake --list-presets` and `CMakePresets.json`) all use\n(VCPKG)[https://github.com/microsoft/vcpkg/#vcpkg-overview] for dependency\nmanagement. This allows us to do proper supply-chain management and\nalso makes cross-building with MinGW on Linux much simpler. However,\nbuilds are also possible by providing the build dependencies manually,\nbut that might require specifying more information to CMake.\n\nYou need at least CMake version 3.21 or newer for the `CMakePreset.json`\nfile to be supported. Manual builds might be possible with older CMake\nversions, see `cmake_minimum_required` in `CMakeLists.txt`.\n\nIf you're looking to build the full Windows installer MSI, take a look\nat https://github.com/OpenVPN/openvpn-build.git .\n\nMSVC builds\n-----------\n\nThe following tools are expected to be present on the system, you\ncan install them with a package manager of your choice (e.g.\nchocolatey, winget) or manually:\n\n* CMake (>= 3.21)\n* Git\n* Python (3.x), plus the Python module `docutils`\n* Visual Studion 17 (2022), C/C++ Enviroment\n\nFor example, to prepare the required tools with chocolatey, you\ncan use the following commands (Powershell):\n\n # Installing Chocolatey\n Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))\n & choco.exe install -y git --params \"/GitAndUnixToolsOnPath\"\n & choco.exe install -y python\n & python.exe -m ensurepip\n & python.exe -m pip install --upgrade pip\n & python.exe -m pip install docutils\n & choco.exe install -y cmake --installargs 'ADD_CMAKE_TO_PATH=System'\n & choco.exe install -y \"visualstudio2022buildtools\"\n & choco.exe install -y \"visualstudio2022-workload-vctools\" --params \"--add Microsoft.VisualStudio.Component.UWP.VC.ARM64 --add Microsoft.VisualStudio.Component.VC.Tools.ARM64 --add Microsoft.VisualStudio.Component.VC.ATL.Spectre --add Microsoft.VisualStudio.Component.VC.ATLMFC.Spectre --add Microsoft.VisualStudio.Component.VC.ATL.ARM64.Spectre --add Microsoft.VisualStudio.Component.VC.MFC.ARM64.Spectre --add Microsoft.VisualStudio.Component.VC.Runtimes.ARM64.Spectre --add Microsoft.VisualStudio.Component.VC.Runtimes.x86.x64.Spectre --quiet\"\n & choco.exe install -y windows-sdk-10-version-2004-windbg\n\nOne or more restarts of Powershell might be required to pick up new additions\nto `PATH` between steps. A Windows restart is probably required after\ninstalling Visual Studio before being able to use it.\nYou can find the exact commands we use to set up the community build machines\nat https://github.com/OpenVPN/openvpn-buildbot/blob/master/jenkins/windows-server/msibuild.pkr.hcl\n\nTo do a default build, assuming you are in a MSVC 17 2022 environment:\n\n mkdir C:\\OpenVPN\n cd C:\\OpenVPN\n git clone https://github.com/microsoft/vcpkg.git\n git clone https://github.com/OpenVPN/openvpn.git\n set VCPKG_ROOT=C:\\OpenVPN\\vcpkg\n cd openvpn\n cmake --preset win-amd64-release\n cmake --build --preset win-amd64-release\n ctest --preset win-amd64-release\n\nWhen using the presets, the build directory is\n`out/build//`, you can find the output files there.\nNo install support is provided directly in OpenVPN build, take a look\nat https://github.com/OpenVPN/openvpn-build.git instead.\n\nMinGW builds (cross-compile on Linux)\n-------------------------------------\n\nTo build the Windows executables on a Linux system:\n\n # install mingw with the package manager of your choice, e.g.\n sudo apt-get install -y mingw-w64\n # in addition to mingw we also need a toolchain for host builds, e.g.\n sudo apt-get install -y build-essential\n # minimum required tools for vcpkg bootstrap: curl, zip, unzip, tar, e.g.\n sudo apt-get install -y curl zip unzip tar\n # additionally vcpkg requires powershell when building Windows binaries.\n # See https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux\n # e.g.\n sudo apt-get install -y wget apt-transport-https software-properties-common\n wget -q \"https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb\"\n sudo dpkg -i packages-microsoft-prod.deb\n sudo apt-get update\n sudo apt-get install -y powershell\n # minimum required tools for build: cmake, docutils, git, ninja,\n # pkg-config, python e.g.\n sudo apt-get install -y cmake git ninja-build pkg-config python3 python3-docutils\n # additionally required to build pkcs11-helper: automake, autoconf,\n # man2html, e.g.\n sudo apt-get install -y automake autoconf man2html-base\n mkdir mingw\n cd mingw\n git clone https://github.com/microsoft/vcpkg.git\n git clone https://github.com/OpenVPN/openvpn.git\n export VCPKG_ROOT=$PWD/vcpkg\n cd openvpn\n # requires CMake 3.21 or newer\n cmake --preset mingw-x64\n cmake --build --preset mingw-x64\n # unit tests are built, but no testPreset is provided. You need to copy\n # them to a Windows system manually\n\nThe instructions have been verified on a Ubuntu 22.04 LTS system in a\nbash shell, and might need adaptions to other Linux distributions/versions.\n\nNote that the MinGW preset builds use the `Ninja multi-config` generator, so\nif you want to build the Debug binaries, use\n\n cmake --build --preset mingw-x64 --config Debug\n\nThe default build is equivalent to specifying `--config Release`.\n\nWhen using the presets, the build directory is\n`out/build/mingw/`, you can find the actual output files in\nsub-directories called ``.\nNo install support is provided directly in OpenVPN build, take a look\nat https://github.com/OpenVPN/openvpn-build.git instead.\n\nUnsupported builds\n------------------\n\nThe CMake buildsystem also supports builds on Unix-like platforms. These builds\nare sometimes useful for OpenVPN developers (e.g. when they use IDEs with\nintegrated CMake support). However, they are not officially supported, do not\ninclude any install support and should not be used to distribute/package\nOpenVPN. To emphasize this fact, you need to specify `-DUNSUPPORTED_BUILDS=ON`\nto cmake to be able to use these builds.\n\nThe `unix-native` CMake preset is available for these builds. This preset does\nnot require VCPKG and instead assumes all build-dependencies are provided by\nthe system natively.\n\nGenerating compile_commands.json\n--------------------------------\n\nTo have the CMake buildsystem generate compile_commands.json you can specify\n`-DENABLE_COMPILE_COMMANDS=ON` on the command line or enable the CMake option\nanother way you like. For supported generators the file will then be created.\nAdditionally, the buildsystem will create a symlink `build/` to the --preset\nbuild directory that contains the generated JSON file. This is done so that\nclangd is able to find it.\n\nEnabling this option may cause an error on Windows, since creating a symlink\nis a privileged operation there. If you enable Developer Mode for the system,\nsymlinks can be created by regular users.\n" }, { "path": "README.dco.md", "content": "OpenVPN data channel offload\n============================\n2.6.0+ implements support for data-channel offloading where the data packets\nare directly processed and forwarded in kernel space thanks to the ovpn-dco\nkernel module. The userspace openvpn program acts purely as a control plane\napplication.\n\n\nOverview of current release\n---------------------------\n- See the \"Limitations by design\" and \"Current limitations\" sections for\n features that are not and/or will not be supported by OpenVPN + ovpn-dco.\n\n\nGetting started (Linux)\n-----------------------\nThe new DCO linux kernel module (namely `ovpn`) has been merged upstream\nas of linux-6.16. From this kernel version onwards you directly get\nthe DCO module as shipped by your kernel.\nNOTE: the new `ovpn` Linux kernel module is compatible only with OpenVPN\n2.7 and greater.\n\nAlternatively, if you run an older kernel or if you want to use a more\nrecent DCO module than the one shipped by your kernel, you need to use\nthe ovpn-backports project.\n\nTo learn how to use the ovpn-backports project and build your own DCO\nkernel module, please refer to the README file available at:\n\n https://github.com/OpenVPN/ovpn-backports/blob/main/README.md\n\nThen clone and build OpenVPN (or use OpenVPN 2.7+). For example:\n\n git clone https://github.com/openvpn/openvpn.git\n cd openvpn\n autoreconf -vi\n ./configure --enable-dco\n make\n sudo make install # Or just run src/openvpn/openvpn\n\nWhen starting openvpn it will automatically detect DCO support and use the\nkernel module. Add the option `--disable-dco` to disable data channel offload\nsupport. If the configuration contains an option that is incompatible with\ndata channel offloading, OpenVPN will automatically disable DCO support and\nwarn the user.\n\nShould OpenVPN be configured to use a feature that is not supported by ovpn\nor should the ovpn kernel module not be available on the system, you will\nsee a message like\n\n Note: Kernel support for ovpn-dco missing, disabling data channel offload.\n\nin your log.\n\n\nGetting started (Windows)\n-------------------------\nOfficial releases published at https://openvpn.net/community-downloads/\ninclude ovpn-dco-win driver since 2.6.0.\n\nThere are also snapshot releases available at\nhttps://build.openvpn.net/downloads/snapshots/github-actions/openvpn2/ .\nThis installer contains the latest OpenVPN code and the ovpn-dco-win driver.\n\n\nDCO and P2P mode\n----------------\nDCO is also available when running OpenVPN in P2P mode without `--pull` /\n`--client` option. P2P mode is useful for scenarios when the OpenVPN tunnel\nshould not interfere with overall routing and behave more like a \"dumb\" tunnel,\nlike GRE.\n\nHowever, DCO requires DATA_V2 to be enabled, which is available for P2P mode\nonly in OpenVPN 2.6 and later.\n\nOpenVPN prints a diagnostic message for the P2P NCP result when running in P2P\nmode:\n\n P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 9484735, cipher=AES-256-GCM\n\nDouble check that you have `DATA_v2=1` in your output and a supported AEAD\ncipher (AES-XXX-GCM or CHACHA20POLY1305).\n\n\nRouting with ovpn-dco\n---------------------\nThe ovpn-dco kernel module implements a more transparent approach to\nconfiguring routes to clients (aka \"iroutes\") and consults the main kernel\nrouting tables for forwarding decisions.\n\n- Each client has a VPN IPv4 and/or a VPN IPv6 assigned to it;\n- additional IP ranges can be routed to a client by adding a route with\n a client VPN IP as the gateway/nexthop (i.e. ip route add a.b.c.d/24 via\n $VPNIP);\n- due to the point above, there is no real need to add a companion `--route` for\n each `--iroute` directive, unless you want to blackhole traffic when the\n specific client is not connected;\n- no internal routing is available. If you need truly internal routes, this can\n be achieved either with filtering using `iptables` or using `ip rule`;\n- client-to-client behaviour, as implemented in userspace, does not exist:\n packets always reach the tunnel interface and are then re-routed to the\n destination peer based on the system routing table.\n\n\nLimitations by design\n----------------------\n- Layer 3 (dev tun) only;\n- only the following AEAD ciphers are currently supported: Chacha20-Poly1305\n and AES-GCM-128/192/256;\n- no support for compression or compression framing:\n - see also the `--compress migrate` option to move to a setup without\n compression;\n- various features not implemented since they have better replacements:\n - `--shaper`, use tc instead;\n - packet manipulation, use nftables/iptables instead;\n- OpenVPN 2.4.0 is the minimum version required for peers to connect:\n - older versions are missing support for the AEAD ciphers;\n- topology subnet is the only supported `--topology` for servers;\n- iroute directives install routes on the host operating system, see also\n Routing with ovpn-dco;\n- (ovpn-dco-win) client and p2p mode only;\n- (ovpn-dco-win) Chacha20-Poly1305 support available starting with Windows 11.\n\n\nCurrent implementation limitations\n-------------------\n- `--persist-tun` not tested;\n- IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work;\n- some incompatible options may not properly fallback to non-dco;\n" }, { "path": "README.ec", "content": "Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic\ncurves are an alternative to RSA for asymmetric encryption.\n\nElliptic curve crypto ('ECC') can be used for the ('TLS') control channel only\nin OpenVPN; the data channel (encrypting the actual network traffic) uses\nsymmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key\nexchange (ECDH).\n\nKey exchange (ECDH)\n-------------------\nOpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is\nused for authentication, the curve used for the server certificate will be used\nfor ECDH too. When autodetection fails (e.g. when using RSA certificates)\nOpenVPN lets the crypto library decide if possible, or falls back to the\nsecp384r1 curve. The list of groups/curves that the crypto library will choose\nfrom can be set with the --tls-groups option.\n\nAn administrator can force an OpenVPN/OpenSSL server to use a specific curve\nusing the --ecdh-curve option with one of the curves listed as\navailable by the --show-groups option. Clients will use the same curve as\nselected by the server.\n\nNote that not all curves listed by --show-groups are available for use with TLS;\nin that case connecting will fail with a 'no shared cipher' TLS error.\n\nAuthentication (ECDSA)\n----------------------\nSince OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which\nspecific curves and cipher suites are available depends on your version and\nconfiguration of the crypto library. The crypto library will automatically\nselect a cipher suite for the TLS control channel.\n\nSupport for generating an ECDSA certificate chain is available in EasyRSA (in\nspite of it's name) since EasyRSA 3.0. The parameters you're looking for are\n'--use-algo=ec' and '--curve='. See the EasyRSA documentation for\nmore details on generating ECDSA certificates.\n" }, { "path": "README.mbedtls", "content": "This version of OpenVPN has mbed TLS support. To enable, follow the\ninstructions below:\n\nTo build and install,\n\n\t./configure --with-crypto-library=mbedtls\n\tmake\n\tmake install\n\nThis version requires mbed TLS version >= 3.2.1. Support for TLS 1.3 requires\nan Mbed TLS version >= 3.6.4.\n\n*************************************************************************\n\nDue to limitations in the mbed TLS library, the following features are missing\nin the mbed TLS version of OpenVPN:\n\n * PKCS#12 file support\n * --capath support - Loading certificate authorities from a directory\n * Windows CryptoAPI support\n * X.509 alternative username fields (must be \"CN\")\n\nPlugin/Script features:\n\n * X.509 subject line has a different format than the OpenSSL subject line\n * X.509 certificate tracking\n" }, { "path": "README.wolfssl", "content": "Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is\nimplemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN\nreceives very limited testing/support from the OpenVPN community itself.\n\nIf bugs in OpenVPN when using wolfSSL are encountered, the user should try to\nalso compile OpenVPN with OpenSSL to determine if these are bugs in the\nwolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling\nwith wolfSSL, please contact support@wolfssl.com directly.\n\nTo Build and Install,\n\n\t./configure --with-crypto-library=wolfssl\n\tmake\n\tmake install\n\n\nThe wolfSSL library will include the installed options.h file by default.\nTo include a custom user_settings.h file for wolfSSL,\n\n./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h\nmake\nmake install\n\n*************************************************************************\nDue to limitations in the wolfSSL TLS library or its compatibility layer, the\nfollowing features are missing\n\n * blowfish support (BF-CBC), you must use something like\n cipher AES-128-CBC to avoid trying to use BF-CBC\n * Windows CryptoAPI support\n * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or\n other build that do not support TLS EKM)\n\n\n*************************************************************************\nNewer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not\ncompatible with OpenVPN's GPLv2 license.\n\nHowever wolfSSL Inc has granted an exception to combine the wolfSSL library\nwith OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING)\nwith version 5.8.4 and later.\n*************************************************************************\nTo build WolfSSL with post-quantum KEMs built in, the following command is used:\n\n./configure --enable-openvpn --enable-kyber=all --enable-curve25519\n\nWolfSSL supports the following post-quantum KEMs and post-quantum hybrid KEMs which must be specified\nusing the tls-groups option in an OpenVPN config. Unlike OpenSSL, which includes X25519MLKEM768\nin the default config, WolfSSL requires explicit configuration of tls-groups to include\nat least one post-quantum KEM.\n\nML_KEM_512\nML_KEM_768\nML_KEM_1024\n\nP256_ML_KEM_512\nX25519_ML_KEM_512\n\nP384_ML_KEM_768\nP256_ML_KEM_768\nX448_ML_KEM_768\nX25519_ML_KEM_768\n\nP384_ML_KEM_1024\nP521_ML_KEM_1024\n\nThe naming conventions of algorithms differ between WolfSSL and OpenSSL. An example is that\nOpenSSL omits underscores for their naming notation whereas WolfSSL expects them. Additionally,\nOpenSSL does not accept the P curve notation and instead uses the equivalent secp notation.\nA specific example is that WolfSSL expects P384_ML_KEM_1024, while OpenSSL expects secp384r1MLKEM1024.\n" }, { "path": "compat.m4", "content": "dnl OpenVPN -- An application to securely tunnel IP networks\ndnl over a single UDP port, with support for SSL/TLS-based\ndnl session authentication and key exchange,\ndnl packet encryption, packet authentication, and\ndnl packet compression.\ndnl\ndnl Copyright (C) 2008-2012 Alon Bar-Lev \ndnl\ndnl This program is free software; you can redistribute it and/or modify\ndnl it under the terms of the GNU General Public License as published by\ndnl the Free Software Foundation; either version 2 of the License, or\ndnl (at your option) any later version.\ndnl\ndnl This program is distributed in the hope that it will be useful,\ndnl but WITHOUT ANY WARRANTY; without even the implied warranty of\ndnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\ndnl GNU General Public License for more details.\ndnl\ndnl You should have received a copy of the GNU General Public License along\ndnl with this program; if not, see .\n\ndnl Compatibility layer for =4) */\n#define ENABLE_DEBUG 1\n\n/* Enable internal fragmentation support */\n#define ENABLE_FRAGMENT 1\n\n/* Enable linux data channel offload */\n#cmakedefine ENABLE_LINUXDCO\n\n/* Enable LZ4 compression library */\n#cmakedefine ENABLE_LZ4\n\n/* Enable LZO compression library */\n#cmakedefine ENABLE_LZO\n\n/* Enable dns-updown script hook */\n#cmakedefine ENABLE_DNS_UPDOWN\n\n/* Enable management server capability */\n#define ENABLE_MANAGEMENT 1\n\n/* Enable OFB and CFB cipher modes */\n#define ENABLE_OFB_CFB_MODE\n\n/* Enable PKCS11 */\n#cmakedefine ENABLE_PKCS11\n\n/* Enable plug-in support */\n#define ENABLE_PLUGIN 1\n\n/* Enable TCP Server port sharing */\n#cmakedefine ENABLE_PORT_SHARE\n\n/* SELinux support */\n#cmakedefine ENABLE_SELINUX\n\n/* enable sitnl support */\n#cmakedefine ENABLE_SITNL\n\n/* Enable systemd integration */\n/* #undef ENABLE_SYSTEMD */\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_ARPA_INET_H 1\n\n/* Define to 1 if you have the `basename' function. */\n#cmakedefine HAVE_BASENAME\n\n/* Define to 1 if you have the `chdir' function. */\n#cmakedefine HAVE_CHDIR\n\n/* Define to 1 if you have the `chroot' function. */\n#cmakedefine HAVE_CHROOT\n\n/* Define to 1 if you have the `chsize' function. */\n#cmakedefine HAVE_CHSIZE\n\n/* struct cmsghdr needed for extended socket error support */\n#cmakedefine HAVE_CMSGHDR\n\n/* git version information in config-version.h */\n#cmakedefine HAVE_CONFIG_VERSION_H\n\n/* cmocka version information available in cmocka_version.h (>= 2.0.0) */\n#cmakedefine HAVE_CMOCKA_VERSION_H\n\n/* Define to 1 if you have the `daemon' function. */\n#cmakedefine HAVE_DAEMON\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_DIRECT_H\n\n/* Define to 1 if you have the `dirname' function. */\n#cmakedefine HAVE_DIRNAME\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_DLFCN_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_DMALLOC_H\n\n/* Define to 1 if you have the `dup' function. */\n#cmakedefine HAVE_DUP\n\n/* Define to 1 if you have the `dup2' function. */\n#cmakedefine HAVE_DUP2\n\n/* Define to 1 if you have the `epoll_create' function. */\n#cmakedefine HAVE_EPOLL_CREATE\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_ERR_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_FCNTL_H\n\n/* Define to 1 if you have the `fork' function. */\n#cmakedefine HAVE_FORK\n#cmakedefine HAVE_EXECVE\n\n/* Define to 1 if you have the `ftruncate' function. */\n#cmakedefine HAVE_FTRUNCATE\n\n/* Define to 1 if you have the `getgrnam' function. */\n#cmakedefine HAVE_GETGRNAM\n\n/* Define to 1 if you have the `getpeereid' function. */\n#cmakedefine HAVE_GETPEEREID\n\n/* Define to 1 if you have the `getpwnam' function. */\n#cmakedefine HAVE_GETPWNAM\n\n/* Define to 1 if you have the `getrlimit' function. */\n#cmakedefine HAVE_GETRLIMIT\n\n/* Define to 1 if you have the `getsockname' function. */\n#cmakedefine HAVE_GETSOCKNAME\n\n/* Define to 1 if you have the `gettimeofday' function. */\n#cmakedefine HAVE_GETTIMEOFDAY\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_GRP_H\n\n/* struct in_pktinfo needed for IP_PKTINFO support */\n#cmakedefine HAVE_IN_PKTINFO\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_IO_H\n\n/* struct in_pktinfo.ipi_spec_dst needed for IP_PKTINFO support */\n#cmakedefine HAVE_IPI_SPEC_DST\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_LIBGEN_H\n\n/* Define to 1 if you have the header file. */\n#define HAVE_LIMITS_H 1\n\n/* Define to 1 if you have the header file. */\n#define HAVE_LZO1X_H 1\n\n/* Define to 1 if you have the `mlockall' function. */\n#cmakedefine HAVE_MLOCKALL\n\n/* struct msghdr needed for extended socket error support */\n#cmakedefine HAVE_MSGHDR\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_NETDB_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_NETINET_IN_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_NETINET_IP_H\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_NETINET_TCP_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_NET_IF_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_NET_IF_TUN_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_NET_TUN_IF_TUN_H\n\n/* Define to 1 if you have the `nice' function. */\n#cmakedefine HAVE_NICE\n\n/* Define to 1 if you have the `openlog' function. */\n#cmakedefine HAVE_OPENLOG\n\n/* OpenSSL engine support available */\n#undef HAVE_OPENSSL_ENGINE\n\n/* Define to 1 if you have the `poll' function. */\n#undef HAVE_POLL\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_POLL_H\n\n/* Define to 1 if you have the `putenv' function. */\n#undef HAVE_PUTENV\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_PWD_H\n\n\n/* Define to 1 if you have the `recvmsg' function. */\n#cmakedefine HAVE_RECVMSG\n#cmakedefine HAVE_SENDMSG\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_RESOLV_H\n\n/* sa_family_t, needed to hold AF_* info */\n#cmakedefine HAVE_SA_FAMILY_T\n\n/* Define to 1 if you have the `sd_booted' function. */\n#undef HAVE_SD_BOOTED\n\n/* Define to 1 if you have the `setgid' function. */\n#cmakedefine HAVE_SETGID\n\n/* Define to 1 if you have the `setgroups' function. */\n#undef HAVE_SETGROUPS\n\n/* Define to 1 if you have the `setsid' function. */\n#cmakedefine HAVE_SETSID\n\n/* Define to 1 if you have the `setsockopt' function. */\n#define HAVE_SETSOCKOPT 1\n\n/* Define to 1 if you have the `setuid' function. */\n#cmakedefine HAVE_SETUID\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_SIGNAL_H\n\n/* Define to 1 if you have the `socket' function. */\n#undef HAVE_SOCKET\n\n/* struct sock_extended_err needed for extended socket error support */\n#undef HAVE_SOCK_EXTENDED_ERR\n\n/* Define to 1 if you have the `stat' function. */\n#define HAVE_STAT 1\n\n/* Define to 1 if you have the header file. */\n#define HAVE_STDARG_H 1\n\n/* Define to 1 if you have the header file. */\n#define HAVE_STDINT_H 1\n\n/* Define to 1 if you have the header file. */\n#define HAVE_STDIO_H 1\n\n/* Define to 1 if you have the header file. */\n#define HAVE_STDLIB_H 1\n\n/* Define to 1 if you have the `strdup' function. */\n#undef HAVE_STRDUP\n\n/* Define to 1 if you have the header file. */\n#define HAVE_STRINGS_H 1\n\n/* Define to 1 if you have the header file. */\n#define HAVE_STRING_H 1\n\n/* Define to 1 if you have the `strsep' function. */\n#undef HAVE_STRSEP\n\n/* Define to 1 if you have the `syslog' function. */\n#cmakedefine HAVE_SYSLOG\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYSLOG_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_EPOLL_H\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_SYS_FILE_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_INOTIFY_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_IOCTL_H\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_SYS_KERN_CONTROL_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_MMAN_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_SOCKET_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_SOCKIO_H\n\n/* Define to 1 if you have the header file. */\n#define HAVE_SYS_STAT_H 1\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_TIME_H\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_SYS_TYPES_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_UIO_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_UN_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_SYS_WAIT_H\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_TAP_WINDOWS_H\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_UAPI_H\n\n/* Define to 1 if you have the header file. */\n#cmakedefine HAVE_UNISTD_H\n\n/* Define to 1 if you have the header file. */\n#undef HAVE_VALGRIND_MEMCHECK_H\n\n/* Availability of different mbed TLS features and APIs */\n#cmakedefine HAVE_PSA_CRYPTO_H\n\n/* Path to ifconfig tool */\n#define IFCONFIG_PATH \"@IFCONFIG_PATH@\"\n\n/* Path to iproute tool */\n#define IPROUTE_PATH \"@IPROUTE_PATH@\"\n\n/* Path to route tool */\n#define ROUTE_PATH \"@ROUTE_PATH@\"\n\n/* OpenVPN version in Windows resource format - string */\n#define OPENVPN_VERSION_RESOURCE @OPENVPN_VERSION_RESOURCE@\n\n/* Name of package */\n#define PACKAGE \"openvpn\"\n\n/* Define to the address where bug reports for this package should be sent. */\n#undef PACKAGE_BUGREPORT\n\n/* Define to the full name of this package. */\n#define PACKAGE_NAME \"OpenVPN\"\n\n/* Define to the full name and version of this package. */\n#define PACKAGE_STRING \"OpenVPN @OPENVPN_VERSION_MAJOR@.@OPENVPN_VERSION_MINOR@@OPENVPN_VERSION_PATCH@\"\n\n/* Define to the version of this package. */\n#define PACKAGE_VERSION \"@OPENVPN_VERSION_MAJOR@.@OPENVPN_VERSION_MINOR@@OPENVPN_VERSION_PATCH@\"\n\n/* Path to systemd-ask-password tool */\n#undef SYSTEMD_ASK_PASSWORD_PATH\n\n/* The tap-windows id */\n#define TAP_WIN_COMPONENT_ID \"tap0901\"\n\n/* The tap-windows version number is required for OpenVPN */\n#define TAP_WIN_MIN_MAJOR 9\n\n/* The tap-windows version number is required for OpenVPN */\n#define TAP_WIN_MIN_MINOR 9\n\n/* Are we running on Mac OS X? */\n#cmakedefine TARGET_DARWIN\n\n/* Are we running on FreeBSD? */\n#cmakedefine TARGET_FREEBSD\n\n/* Are we running on Linux? */\n#cmakedefine TARGET_LINUX\n\n/* Are we running on Solaris/OpenIndiana? */\n#cmakedefine TARGET_SOLARIS\n\n/* Are we running WIN32? */\n#cmakedefine TARGET_WIN32\n\n/* Are we targeting Android? */\n#cmakedefine TARGET_ANDROID\n\n#define TARGET_ALIAS \"@CMAKE_SYSTEM_NAME@\"\n\n/* Enable GNU extensions on systems that have them. */\n#ifndef _GNU_SOURCE\n# define _GNU_SOURCE 1\n#endif\n" }, { "path": "configure.ac", "content": "dnl OpenVPN -- An application to securely tunnel IP networks\ndnl over a single UDP port, with support for SSL/TLS-based\ndnl session authentication and key exchange,\ndnl packet encryption, packet authentication, and\ndnl packet compression.\ndnl\ndnl Copyright (C) 2002-2026 OpenVPN Inc \ndnl Copyright (C) 2006-2012 Alon Bar-Lev \ndnl\ndnl This program is free software; you can redistribute it and/or modify\ndnl it under the terms of the GNU General Public License as published by\ndnl the Free Software Foundation; either version 2 of the License, or\ndnl (at your option) any later version.\ndnl\ndnl This program is distributed in the hope that it will be useful,\ndnl but WITHOUT ANY WARRANTY; without even the implied warranty of\ndnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\ndnl GNU General Public License for more details.\ndnl\ndnl You should have received a copy of the GNU General Public License along\ndnl with this program; if not, see .\n\ndnl Process this file with autoconf to produce a configure script.\n\nAC_PREREQ(2.60)\n\nm4_include(version.m4)\nAC_INIT([PRODUCT_NAME], [PRODUCT_VERSION], [PRODUCT_BUGREPORT], [PRODUCT_TARNAME])\nm4_include(compat.m4)\nAC_DEFINE([OPENVPN_VERSION_RESOURCE], [PRODUCT_VERSION_RESOURCE], [Version in windows resource format])\nAC_SUBST([OPENVPN_VERSION_MAJOR], [PRODUCT_VERSION_MAJOR], [OpenVPN major version])\nAC_SUBST([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor version])\nAC_SUBST([OPENVPN_VERSION_PATCH], [PRODUCT_VERSION_PATCH], [OpenVPN patch level - may be a string or integer])\nAC_DEFINE([OPENVPN_VERSION_MAJOR], [PRODUCT_VERSION_MAJOR], [OpenVPN major version - integer])\nAC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor version - integer])\nAC_DEFINE([OPENVPN_VERSION_PATCH], [\"PRODUCT_VERSION_PATCH\"], [OpenVPN patch level - may be a string or integer])\n\nAC_CONFIG_AUX_DIR([.])\nAC_CONFIG_HEADERS([config.h include/openvpn-plugin.h])\nAC_CONFIG_SRCDIR([src/openvpn/syshead.h])\nAC_CONFIG_MACRO_DIR([m4])\n\ndnl Automake 1.14+ warns if sources are in sub-directories but subdir-objects\ndnl options is not enabled. However, automake before 1.15a has a bug that causes\ndnl variable expansion to fail in foo_SOURCES when this option is used.\ndnl As most of our build systems are now likely to use automake 1.16+ add a\ndnl work around to conditionally add subdir-objects option.\nm4_define([subdir_objects], [\n m4_esyscmd([automake --version |\n head -1 |\n awk '{split ($NF,a,\".\"); if (a[1] == 1 && a[2] >= 16) { print \"subdir-objects\" }}'\n ])\n])\n\n# This foreign option prevents autoreconf from overriding our COPYING and\n# INSTALL targets:\nAM_INIT_AUTOMAKE(foreign subdir_objects 1.9) dnl NB: Do not [quote] this parameter.\nAM_SILENT_RULES([yes])\nAC_CANONICAL_HOST\nAC_USE_SYSTEM_EXTENSIONS\n\nAC_ARG_ENABLE(\n\t[lzo],\n\t[AS_HELP_STRING([--disable-lzo], [disable LZO compression support @<:@default=yes@:>@])],\n\t,\n\t[enable_lzo=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[lz4],\n\t[AS_HELP_STRING([--disable-lz4], [disable LZ4 compression support @<:@default=yes@:>@])],\n\t[enable_lz4=\"$enableval\"],\n\t[enable_lz4=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[comp-stub],\n\t[AS_HELP_STRING([--enable-comp-stub], [disable compression support but still allow limited interoperability with compression-enabled peers @<:@default=no@:>@])],\n\t[enable_comp_stub=\"$enableval\"],\n\t[enable_comp_stub=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[ofb-cfb],\n\t[AS_HELP_STRING([--disable-ofb-cfb], [disable support for OFB and CFB cipher modes @<:@default=yes@:>@])],\n\t,\n\t[enable_crypto_ofb_cfb=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[dns-updown-by-default],\n\t[AS_HELP_STRING([--disable-dns-updown-by-default], [disable running --dns-updown by default @<:@default=yes@:>@])],\n\t,\n\t[enable_dns_updown_by_default=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[plugins],\n\t[AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])],\n\t,\n\t[enable_plugins=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[management],\n\t[AS_HELP_STRING([--disable-management], [disable management server support @<:@default=yes@:>@])],\n\t,\n\t[enable_management=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[pkcs11],\n\t[AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support @<:@default=no@:>@])],\n\t,\n\t[enable_pkcs11=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[fragment],\n\t[AS_HELP_STRING([--disable-fragment], [disable internal fragmentation support (--fragment) @<:@default=yes@:>@])],\n\t,\n\t[enable_fragment=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[port-share],\n\t[AS_HELP_STRING([--disable-port-share], [disable TCP server port-share support (--port-share) @<:@default=yes@:>@])],\n\t,\n\t[enable_port_share=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[debug],\n\t[AS_HELP_STRING([--disable-debug], [disable debugging support (disable gremlin and verb 7+ messages) @<:@default=yes@:>@])],\n\t,\n\t[enable_debug=\"yes\"]\n)\n\nAC_ARG_ENABLE(\n\t[small],\n\t[AS_HELP_STRING([--enable-small], [enable smaller executable size (disable OCC, usage message, and verb 4 parm list) @<:@default=no@:>@])],\n\t,\n\t[enable_small=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[dco],\n\t[AS_HELP_STRING([--disable-dco], [disable data channel offload support using the ovpn-dco kernel module @<:@default=yes@:>@ on Linux/FreeBSD, can't disable on Windows])],\n\t,\n\t[\n\t\tcase \"$host\" in\n\t\t\t*-*-linux*)\n\t\t\t\tenable_dco=\"auto\"\n\t\t\t;;\n\t\t\t*-*-freebsd*)\n\t\t\t\tenable_dco=\"auto\"\n\t\t\t;;\n\t\t\t*)\n\t\t\t\t# note that this does not disable it for Windows\n\t\t\t\tenable_dco=\"no\"\n\t\t\t;;\n\t\tesac\n\t]\n)\n\nAC_ARG_ENABLE(\n\t[iproute2],\n\t[AS_HELP_STRING([--enable-iproute2], [enable support for iproute2 (disables DCO) @<:@default=no@:>@])],\n\t,\n\t[enable_iproute2=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[plugin-auth-pam],\n\t[AS_HELP_STRING([--disable-plugin-auth-pam], [disable auth-pam plugin @<:@default=platform specific@:>@])],\n\t,\n\t[\n\t\tcase \"$host\" in\n\t\t\t*-*-openbsd*) enable_plugin_auth_pam=\"no\";;\n\t\t\t*-mingw*) enable_plugin_auth_pam=\"no\";;\n\t\t\t*) enable_plugin_auth_pam=\"yes\";;\n\t\tesac\n\t]\n)\n\nAC_ARG_ENABLE(\n\t[plugin-down-root],\n\t[AS_HELP_STRING([--disable-plugin-down-root], [disable down-root plugin @<:@default=platform specific@:>@])],\n\t,\n\t[\n\t\tcase \"$host\" in\n\t\t\t*-mingw*) enable_plugin_down_root=\"no\";;\n\t\t\t*) enable_plugin_down_root=\"yes\";;\n\t\tesac\n\t]\n)\n\nAC_ARG_ENABLE(\n\t[pam-dlopen],\n\t[AS_HELP_STRING([--enable-pam-dlopen], [dlopen libpam @<:@default=no@:>@])],\n\t,\n\t[enable_pam_dlopen=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[strict],\n\t[AS_HELP_STRING([--enable-strict], [enable strict compiler warnings (debugging option) @<:@default=no@:>@])],\n\t,\n\t[enable_strict=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[pedantic],\n\t[AS_HELP_STRING([--enable-pedantic], [enable pedantic compiler warnings, will not generate a working executable (debugging option) @<:@default=no@:>@])],\n\t,\n\t[enable_pedantic=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[werror],\n\t[AS_HELP_STRING([--enable-werror], [promote compiler warnings to errors, will cause builds to fail if the compiler issues warnings (debugging option) @<:@default=no@:>@])],\n\t,\n\t[enable_werror=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[strict-options],\n\t[AS_HELP_STRING([--enable-strict-options], [enable strict options check between peers (debugging option) @<:@default=no@:>@])],\n\t,\n\t[enable_strict_options=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[selinux],\n\t[AS_HELP_STRING([--enable-selinux], [enable SELinux support @<:@default=no@:>@])],\n\t,\n\t[enable_selinux=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[systemd],\n\t[AS_HELP_STRING([--enable-systemd], [enable systemd support @<:@default=no@:>@])],\n\t,\n\t[enable_systemd=\"no\"]\n)\n\nAC_ARG_ENABLE(\n\t[async-push],\n\t[AS_HELP_STRING([--enable-async-push], [enable async-push support for plugins providing deferred authentication @<:@default=no@:>@])],\n\t,\n\t[enable_async_push=\"no\"]\n)\n\nAC_ARG_WITH(\n\t[special-build],\n\t[AS_HELP_STRING([--with-special-build=STRING], [specify special build string])],\n\t[test -n \"${withval}\" && AC_DEFINE_UNQUOTED([CONFIGURE_SPECIAL_BUILD], [\"${withval}\"], [special build string])]\n)\n\nAC_ARG_WITH(\n\t[mem-check],\n\t[AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory checking, TYPE=no|dmalloc|valgrind|ssl @<:@default=no@:>@])],\n\t[\n\t\tcase \"${withval}\" in\n\t\t\tdmalloc|valgrind|ssl|no) ;;\n\t\t\t*) AC_MSG_ERROR([bad value ${withval} for --mem-check]) ;;\n\t\tesac\n\t],\n\t[with_mem_check=\"no\"]\n)\n\nAC_ARG_WITH(\n\t[crypto-library],\n\t[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],\n\t[\n\t\tcase \"${withval}\" in\n\t\t\topenssl|mbedtls|wolfssl) ;;\n\t\t\t*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;\n\t\tesac\n\t],\n\t[with_crypto_library=\"openssl\"]\n)\n\nAC_ARG_ENABLE(\n\t[wolfssl-options-h],\n\t[AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],\n\t,\n\t[enable_wolfssl_options_h=\"yes\"]\n)\n\nAC_ARG_WITH(\n\t[openssl-engine],\n\t[AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],\n\t[\n\t\tcase \"${withval}\" in\n\t\t\tauto|yes|no) ;;\n\t\t\t*) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;;\n\t\tesac\n\t],\n\t[with_openssl_engine=\"auto\"]\n)\n\nAC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])\nif test -n \"${PLUGINDIR}\"; then\n\tplugindir=\"${PLUGINDIR}\"\nelse\n\tplugindir=\"\\${libdir}/openvpn/plugins\"\nfi\n\nAC_ARG_VAR([SCRIPTDIR], [Path of script directory @<:@default=PKGLIBEXECDIR@:>@])\nif test -n \"${SCRIPTDIR}\"; then\n\tscriptdir=\"${SCRIPTDIR}\"\nelse\n\tscriptdir=\"\\${pkglibexecdir}\"\nfi\n\nAC_DEFINE_UNQUOTED([TARGET_ALIAS], [\"${host}\"], [A string representing our host])\nAM_CONDITIONAL([ENABLE_DNS_UPDOWN],[true])\ncase \"$host\" in\n\t*-*-linux*)\n\t\tAC_DEFINE([TARGET_LINUX], [1], [Are we running on Linux?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"L\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"systemd\"])\n\t\thave_sitnl=\"yes\"\n\t\tpkg_config_required=\"yes\"\n\t\t;;\n\t*-*-solaris*)\n\t\tAC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"S\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"resolvconf_file\"])\n\t\tCPPFLAGS=\"$CPPFLAGS -D_XPG4_2\"\n\t\ttest -x /bin/bash && SHELL=\"/bin/bash\"\n\t\t;;\n\t*-*-openbsd*)\n\t\tAC_DEFINE([TARGET_OPENBSD], [1], [Are we running on OpenBSD?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"O\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"resolvconf_file\"])\n\t\t;;\n\t*-*-freebsd*)\n\t\tAC_DEFINE([TARGET_FREEBSD], [1], [Are we running on FreeBSD?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"F\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"openresolv\"])\n\t\t;;\n\t*-*-netbsd*)\n\t\tAC_DEFINE([TARGET_NETBSD], [1], [Are we running NetBSD?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"N\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"openresolv\"])\n\t\t;;\n\t*-*-darwin*)\n\t\tAC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"M\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"macos\"])\n\t\thave_tap_header=\"yes\"\n\t\tac_cv_type_struct_in_pktinfo=no\n\t\t;;\n\t*-mingw*)\n\t\tAC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?])\n\t\tAC_DEFINE([ENABLE_DCO], [1], [DCO is always enabled on Windows])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"W\"], [Target prefix])\n\t\tAM_CONDITIONAL([ENABLE_DNS_UPDOWN], [false])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"windows\"])\n\t\tCPPFLAGS=\"${CPPFLAGS} -DWIN32_LEAN_AND_MEAN\"\n\t\tCPPFLAGS=\"${CPPFLAGS} -DNTDDI_VERSION=NTDDI_VISTA -D_WIN32_WINNT=_WIN32_WINNT_VISTA\"\n\t\tWIN32=yes\n\t\t;;\n\t*-*-dragonfly*)\n\t\tAC_DEFINE([TARGET_DRAGONFLY], [1], [Are we running on DragonFlyBSD?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"D\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"openresolv\"])\n\t\t;;\n\t*-aix*)\n\t\tAC_DEFINE([TARGET_AIX], [1], [Are we running AIX?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"A\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"resolvconf_file\"])\n\t\tROUTE=\"/usr/sbin/route\"\n\t\thave_tap_header=\"yes\"\n\t\tac_cv_header_net_if_h=\"no\"\t# exists, but breaks things\n\t\t;;\n\t*-*-haiku*)\n\t\tAC_DEFINE([TARGET_HAIKU], [1], [Are we running Haiku?])\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"H\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"haikuos_file\"])\n\t\tLIBS=\"${LIBS} -lnetwork\"\n\t\t;;\n\t*)\n\t\tAC_DEFINE_UNQUOTED([TARGET_PREFIX], [\"X\"], [Target prefix])\n\t\tAC_SUBST([DNS_UPDOWN_TYPE], [\"resolvconf_file\"])\n\t\thave_tap_header=\"yes\"\n\t\t;;\nesac\n\nAM_CONDITIONAL([CROSS_COMPILING], test \"${cross_compiling}\" = \"yes\")\n\nPKG_PROG_PKG_CONFIG\n# Add variable to print if pkg-config is found or not. Users often miss that\nif test \"${PKG_CONFIG}\" = \"\"; then\n\tif test \"${pkg_config_required}\" = \"yes\"; then\n\t\tAC_MSG_ERROR([pkg-config is required])\n\tfi\n\tpkg_config_found=\"(not found)\"\nelse\n\tpkg_config_found=\"(${PKG_CONFIG})\"\nfi\n\nAC_PROG_CC\nAC_PROG_CPP\nAC_PROG_INSTALL\nAC_PROG_LN_S\nAC_PROG_SED\nAC_PROG_MAKE_SET\n\nAC_ARG_VAR([IFCONFIG], [full path to ipconfig utility])\nAC_ARG_VAR([ROUTE], [full path to route utility])\nAC_ARG_VAR([IPROUTE], [full path to ip utility])\nAC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests\nAC_ARG_VAR([GIT], [path to git utility])\nAC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])\nAC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@])\nAC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@])\nAC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])\nAC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])\nAC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])\nAC_PATH_PROGS([SYSTEMD_ASK_PASSWORD], [systemd-ask-password],, [$PATH:/usr/local/bin:/usr/bin:/bin])\nAC_CHECK_PROGS([NETSTAT], [netstat], [netstat], [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc]) # tests\nAC_CHECK_PROGS([GIT], [git]) # optional\nAC_DEFINE_UNQUOTED([IFCONFIG_PATH], [\"$IFCONFIG\"], [Path to ifconfig tool])\nAC_DEFINE_UNQUOTED([IPROUTE_PATH], [\"$IPROUTE\"], [Path to iproute tool])\nAC_DEFINE_UNQUOTED([ROUTE_PATH], [\"$ROUTE\"], [Path to route tool])\nAC_DEFINE_UNQUOTED([SYSTEMD_ASK_PASSWORD_PATH], [\"$SYSTEMD_ASK_PASSWORD\"], [Path to systemd-ask-password tool])\nAC_CHECK_TOOLS([WINDMC], [windmc mc.exe],[no])\n\n#\n# man page generation - based on python-docutils\n#\nAC_ARG_VAR([RST2MAN], [path to rst2man utility])\nAC_ARG_VAR([RST2HTML], [path to rst2html utility])\nAC_CHECK_PROGS([RST2MAN], [rst2man rst2man.py])\nAC_CHECK_PROGS([RST2HTML], [rst2html rst2html.py])\nAM_CONDITIONAL([HAVE_PYDOCUTILS], [test \"${RST2MAN}\" -a \"${RST2HTML}\"])\n\n# Set -std=c11 unless user already specified a -std=\ncase \"${CFLAGS}\" in\n *-std=*) ;;\n *) CFLAGS=\"${CFLAGS} -std=c11\" ;;\nesac\n\n#\n# Libtool\n#\nifdef(\n\t[LT_INIT],\n\t[\n\t\tLT_INIT([win32-dll])\n\t\tLT_LANG([Windows Resource])\n\t],\n\t[\n\t\tAC_LIBTOOL_WIN32_DLL\n\t\tAC_LIBTOOL_RC\n\t\tAC_PROG_LIBTOOL\n\t]\n)\n\nAC_C_INLINE\nAX_TYPE_SOCKLEN_T\nAC_CHECK_HEADERS([ \\\n\tfcntl.h io.h \\\n\tsys/types.h sys/socket.h \\\n\tunistd.h dlfcn.h \\\n\tnetinet/in.h \\\n\tnetinet/tcp.h arpa/inet.h netdb.h \\\n])\nAC_CHECK_HEADERS([ \\\n\tsys/time.h sys/ioctl.h sys/stat.h \\\n\tsys/mman.h sys/file.h sys/wait.h \\\n\tlibgen.h stropts.h \\\n\tsyslog.h pwd.h grp.h termios.h \\\n\tsys/sockio.h sys/uio.h \\\n\tpoll.h sys/epoll.h err.h \\\n])\n\nSOCKET_INCLUDES=\"\n#include \n#ifdef HAVE_SYS_TYPES_H\n#include \n#endif\n#ifdef HAVE_SYS_SOCKET_H\n#include \n#endif\n#ifdef HAVE_NET_IF_H\n#include \n#endif\n#ifdef HAVE_NETINET_IN_H\n#include \n#endif\n#ifdef _WIN32\n#include \n#endif\n#ifdef _WIN32\n#include \n#endif\n#ifdef _WIN32\n#include \n#endif\n#ifdef HAVE_NETINET_IP_H\n#include \n#endif\n\"\n\nAC_CHECK_HEADERS(\n\t[net/if.h netinet/ip.h resolv.h sys/un.h sys/kern_control.h],\n\t,\n\t,\n\t[[${SOCKET_INCLUDES}]]\n)\n\nAC_CHECK_TYPE(\n\t[struct msghdr],\n\t[AC_DEFINE([HAVE_MSGHDR], [1], [struct msghdr needed for extended socket error support])],\n\t,\n\t[[${SOCKET_INCLUDES}]]\n)\nAC_CHECK_TYPE(\n\t[struct cmsghdr],\n\t[AC_DEFINE([HAVE_CMSGHDR], [1], [struct cmsghdr needed for extended socket error support])],\n\t,\n\t[[${SOCKET_INCLUDES}]]\n)\nAC_CHECK_TYPE(\n\t[struct in_pktinfo],\n\t[AC_DEFINE([HAVE_IN_PKTINFO], [1], [struct in_pktinfo needed for IP_PKTINFO support])],\n\t,\n\t[[${SOCKET_INCLUDES}]]\n)\nAC_CHECK_TYPE(\n [sa_family_t],\n [AC_DEFINE([HAVE_SA_FAMILY_T], [1], [sa_family_t, needed to hold AF_* info])],\n ,\n [[${SOCKET_INCLUDES}]]\n)\nAC_CHECK_MEMBER(\n\t[struct in_pktinfo.ipi_spec_dst],\n\t[AC_DEFINE([HAVE_IPI_SPEC_DST], [1], [struct in_pktinfo.ipi_spec_dst needed for IP_PKTINFO support])],\n\t,\n\t[[${SOCKET_INCLUDES}]]\n)\nAC_CHECK_TYPE(\n\t[struct sockaddr_in6],\n\t,\n\t[AC_MSG_ERROR([struct sockaddr_in6 not found, needed for ipv6 transport support.])],\n\t[[${SOCKET_INCLUDES}]]\n)\n\nsaved_LDFLAGS=\"$LDFLAGS\"\nLDFLAGS=\"$LDFLAGS -Wl,--wrap=exit\"\nAC_MSG_CHECKING([linker supports --wrap])\nAC_LINK_IFELSE(\n\t[AC_LANG_PROGRAM(\n\t\t[[\n\t\t\tvoid exit(int);\n\t\t\tvoid __real_exit(int);\n\t\t\tvoid __wrap_exit(int i) {\n\t\t\t\t__real_exit(i);\n\t\t\t}\n\t\t]],\n\t\t[[\n\t\t\texit(0);\n\t\t]]\n\t)],\n\t[\n\t\tAC_MSG_RESULT([yes])\n\t\thave_ld_wrap_support=yes\n\t],\n\t[AC_MSG_RESULT([no])],\n)\nLDFLAGS=\"$saved_LDFLAGS\"\n\nAC_FUNC_FORK\n\nAC_CHECK_FUNCS([ \\\n\tdaemon chroot getpwnam setuid nice dup dup2 \\\n\tsyslog openlog mlockall getrlimit getgrnam setgid \\\n\tsetgroups flock gettimeofday \\\n\tsetsid chdir \\\n\tchsize ftruncate execve getpeereid basename dirname \\\n\tepoll_create strsep \\\n])\n\nAC_CHECK_LIB(\n\t[dl],\n\t[dlopen],\n\t[DL_LIBS=\"-ldl\"]\n)\nAC_SUBST([DL_LIBS])\n\nAC_CHECK_LIB(\n\t[nsl],\n\t[inet_ntoa],\n\t[SOCKETS_LIBS=\"${SOCKETS_LIBS} -lnsl\"]\n)\nAC_CHECK_LIB(\n\t[socket],\n\t[socket],\n\t[SOCKETS_LIBS=\"${SOCKETS_LIBS} -lsocket\"]\n)\nAC_CHECK_LIB(\n\t[resolv],\n\t[gethostbyname],\n\t[SOCKETS_LIBS=\"${SOCKETS_LIBS} -lresolv\"]\n)\nAC_SUBST([SOCKETS_LIBS])\n\nold_LIBS=\"${LIBS}\"\nLIBS=\"${LIBS} ${SOCKETS_LIBS}\"\nAC_CHECK_FUNCS([sendmsg recvmsg])\n\nLIBS=\"${old_LIBS}\"\n\n# we assume res_init() always exist, but need to find out *where*...\nAC_SEARCH_LIBS(__res_init, resolv bind, ,\n AC_SEARCH_LIBS(res_9_init, resolv bind, ,\n\tAC_SEARCH_LIBS(res_init, resolv bind, , )))\n\nAC_ARG_VAR([TAP_CFLAGS], [C compiler flags for tap])\nold_CFLAGS=\"${CFLAGS}\"\nCFLAGS=\"${CFLAGS} ${TAP_CFLAGS}\"\nAC_CHECK_HEADERS(\n\t[ \\\n\t\tnet/if_tun.h net/tun/if_tun.h \\\n\t\tlinux/if_tun.h \\\n\t\ttap-windows.h \\\n\t],\n\t[have_tap_header=\"yes\"]\n)\nCFLAGS=\"${old_CFLAGS}\"\ntest \"${have_tap_header}\" = \"yes\" || AC_MSG_ERROR([no tap header could be found])\n\nAC_CHECK_LIB(\n\t[selinux],\n\t[setcon],\n\t[SELINUX_LIBS=\"-lselinux\"]\n)\nAC_SUBST([SELINUX_LIBS])\n\nAC_ARG_VAR([LIBPAM_CFLAGS], [C compiler flags for libpam])\nAC_ARG_VAR([LIBPAM_LIBS], [linker flags for libpam])\nif test -z \"${LIBPAM_LIBS}\"; then\n\tAC_CHECK_LIB(\n\t\t[pam],\n\t\t[pam_start],\n\t\t[LIBPAM_LIBS=\"-lpam\"]\n\t)\nfi\n\ncase \"${with_mem_check}\" in\n\tvalgrind)\n\t\tAC_CHECK_HEADERS(\n\t\t\t[valgrind/memcheck.h],\n\t\t\t[\n\t\t\t\tCFLAGS=\"${CFLAGS} -g -fno-inline\"\n\t\t\t\tAC_DEFINE(\n\t\t\t\t\t[USE_VALGRIND],\n\t\t\t\t\t[1],\n\t\t\t\t\t[Use valgrind memory debugging library]\n\t\t\t\t)\n\t\t\t],\n\t\t\t[AC_MSG_ERROR([valgrind headers not found.])]\n\t\t)\n\t\t;;\n\tdmalloc)\n\t\tAC_CHECK_HEADERS(\n\t\t\t[dmalloc.h],\n\t\t\t[AC_CHECK_LIB(\n\t\t\t\t[dmalloc],\n\t\t\t\t[malloc],\n\t\t\t\t[\n\t\t\t\t\tLIBS=\"${LIBS} -ldmalloc\"\n\t\t\t\t\tAC_DEFINE(\n\t\t\t\t\t\t[DMALLOC],\n\t\t\t\t\t\t[1],\n\t\t\t\t\t\t[Use dmalloc memory debugging library]\n\t\t\t\t\t)\n\t\t\t\t],\n\t\t\t\t[AC_MSG_ERROR([dmalloc library not found.])]\n\t\t\t)],\n\t\t\t[AC_MSG_ERROR([dmalloc headers not found.])]\n\t\t)\n\t\t;;\n\tssl)\n\t\tAC_CHECK_LIB(\n\t\t\t[ssl],\n\t\t\t[CRYPTO_mem_ctrl],\n\t\t\t[\n\t\t\t\tAC_DEFINE(\n\t\t\t\t\t[CRYPTO_MDEBUG],\n\t\t\t\t\t[1],\n\t\t\t\t\t[Use memory debugging function in OpenSSL]\n\t\t\t\t)\n\t\t\t\tAC_MSG_NOTICE([NOTE: OpenSSL library must be compiled with CRYPTO_MDEBUG])\n\t\t\t],\n\t\t\t[AC_MSG_ERROR([Memory Debugging function in OpenSSL library not found.])]\n\t\t)\n\t\t;;\nesac\n\nif test \"$enable_dco\" != \"no\"; then\n\tenable_dco_arg=\"$enable_dco\"\n\tif test \"${enable_iproute2}\" = \"yes\"; then\n\t\tAC_MSG_WARN([DCO cannot be enabled when using iproute2])\n\t\tenable_dco=\"no\"\n\tfi\n\tcase \"$host\" in\n\t\t*-*-linux*)\n\t\t\tif test \"$enable_dco\" = \"no\"; then\n\t\t\t\tif test \"$enable_dco_arg\" = \"auto\"; then\n\t\t\t\t\tAC_MSG_WARN([DCO support disabled])\n\t\t\t\telse\n\t\t\t\t\tAC_MSG_ERROR([DCO support can't be enabled])\n\t\t\t\tfi\n\t\t\telse\n\t\t\t\tdnl\n\t\t\t\tdnl Include generic netlink library used to talk to ovpn-dco\n\t\t\t\tdnl\n\t\t\t\tPKG_CHECK_MODULES([LIBNL_GENL],\n\t\t\t\t\t [libnl-genl-3.0 >= 3.4.0],\n\t\t\t\t\t [have_libnl=\"yes\"],\n\t\t\t\t\t [\n\t\t\t\t\t AC_MSG_ERROR([libnl-genl-3.0 package not found or too old. Is the development package and pkg-config ${pkg_config_found} installed? Must be version 3.4.0 or newer for DCO])\n\t\t\t\t\t ]\n\t\t\t\t)\n\t\t\t\tOPTIONAL_LIBNL_GENL_CFLAGS=\"${LIBNL_GENL_CFLAGS}\"\n\t\t\t\tOPTIONAL_LIBNL_GENL_LIBS=\"${LIBNL_GENL_LIBS}\"\n\n\t\t\t\tAC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload])\n\t\t\t\tAC_MSG_NOTICE([Enabled ovpn-dco support for Linux])\n\t\t\tfi\n\t\t\t;;\n\t\t*-*-freebsd*)\n\t\t\tAC_CHECK_HEADERS([net/if_ovpn.h],\n\t\t\t\t[\n\t\t\t\t LIBS=\"${LIBS} -lnv\"\n\t\t\t\t AC_DEFINE(ENABLE_DCO, 1, [Enable data channel offload for FreeBSD])\n\t\t\t\t AC_MSG_NOTICE([Enabled ovpn-dco support for FreeBSD])\n\t\t\t\t],\n\t\t\t\t[\n\t\t\t\t enable_dco=\"no\"\n\t\t\t\t AC_MSG_WARN([DCO header not found.])\n\t\t\t\t]\n\t\t\t)\n\t\t\tif test \"$enable_dco\" = \"no\"; then\n\t\t\t\tif test \"$enable_dco_arg\" = \"auto\"; then\n\t\t\t\t\tAC_MSG_WARN([DCO support disabled])\n\t\t\t\telse\n\t\t\t\t\tAC_MSG_ERROR([DCO support can't be enabled])\n\t\t\t\tfi\n\t\t\tfi\n\t\t\t;;\n\t\t*-mingw*)\n\t\t\tAC_MSG_NOTICE([NOTE: --enable-dco ignored on Windows because it's always enabled])\n\t\t\t;;\n\t\t*)\n\t\t\tAC_MSG_NOTICE([Ignoring --enable-dco on non supported platform])\n\t\t\t;;\n\tesac\nfi\n\ndnl\ndnl Depend on libcap-ng on Linux\ndnl\ncase \"$host\" in\n\t*-*-linux*)\n\t\tPKG_CHECK_MODULES([LIBCAPNG],\n\t\t\t\t [libcap-ng],\n\t\t\t\t [],\n\t\t\t\t [AC_MSG_ERROR([libcap-ng package not found. Is the development package and pkg-config ${pkg_config_found} installed?])]\n\t\t)\n\t\tAC_CHECK_HEADER([sys/prctl.h],,[AC_MSG_ERROR([sys/prctl.h not found!])])\n\n\t\tOPTIONAL_LIBCAPNG_CFLAGS=\"${LIBCAPNG_CFLAGS}\"\n\t\tOPTIONAL_LIBCAPNG_LIBS=\"${LIBCAPNG_LIBS}\"\n\t\tAC_DEFINE(HAVE_LIBCAPNG, 1, [Enable libcap-ng support])\n\t;;\nesac\n\n\nif test \"${with_crypto_library}\" = \"openssl\"; then\n\tAC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])\n\tAC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])\n\n\tif test -z \"${OPENSSL_CFLAGS}\" -a -z \"${OPENSSL_LIBS}\"; then\n\t\t# if the user did not explicitly specify flags, try to autodetect\n\t\tPKG_CHECK_MODULES(\n\t\t\t[OPENSSL],\n\t\t\t[openssl >= 1.1.0],\n\t\t\t[have_openssl=\"yes\"],\n\t\t\t[AC_MSG_WARN([OpenSSL not found by pkg-config ${pkg_config_found}])] # If this fails, we will do another test next\n\t\t)\n\t\tOPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}\n\tfi\n\n\tsaved_CFLAGS=\"${CFLAGS}\"\n\tsaved_LIBS=\"${LIBS}\"\n\tCFLAGS=\"${CFLAGS} ${OPENSSL_CFLAGS}\"\n\tLIBS=\"${LIBS} ${OPENSSL_LIBS}\"\n\n\t# If pkgconfig check failed or OPENSSL_CFLAGS/OPENSSL_LIBS env vars\n\t# are used, check the version directly in the OpenSSL include file\n\tif test \"${have_openssl}\" != \"yes\"; then\n\t\tAC_MSG_CHECKING([additionally if OpenSSL is available and version >= 1.1.0])\n\t\tAC_COMPILE_IFELSE(\n\t\t\t[AC_LANG_PROGRAM(\n\t\t\t\t[[\n#include \n\t\t\t\t]],\n\t\t\t\t[[\n/*\t Version encoding: MNNFFPPS - see opensslv.h for details */\n#if OPENSSL_VERSION_NUMBER < 0x10100000L\n#error OpenSSL too old\n#endif\n\t\t\t\t]]\n\t\t\t)],\n\t\t\t[AC_MSG_RESULT([ok])],\n\t\t\t[AC_MSG_ERROR([OpenSSL version too old])]\n\t\t)\n\tfi\n\n\tAC_CHECK_FUNCS([SSL_CTX_new],\n\t\t\t\t ,\n\t\t\t\t [AC_MSG_ERROR([openssl check failed])]\n\t)\n\n\tif test \"${with_openssl_engine}\" = \"auto\"; then\n\t AC_COMPILE_IFELSE(\n\t\t\t\t [AC_LANG_PROGRAM(\n\t\t\t\t\t [[\n\t #include \n\t #include \n\t\t\t\t\t ]],\n\t\t\t\t\t [[\n\t /*\t Version encoding: MNNFFPPS - see opensslv.h for details */\n\t #if OPENSSL_VERSION_NUMBER >= 0x30000000L\n\t #error Engine support disabled by default in OpenSSL 3.0+\n\t #endif\n\n\t /*\t BoringSSL and LibreSSL >= 3.8.1 removed engine support */\n\t #ifdef OPENSSL_NO_ENGINE\n\t #error Engine support disabled in openssl/opensslconf.h\n\t #endif\n\t\t\t\t\t ]]\n\t\t\t\t )],\n\t\t\t\t [have_openssl_engine=\"yes\"],\n\t\t\t\t [have_openssl_engine=\"no\"]\n\t )\n\t if test \"${have_openssl_engine}\" = \"yes\"; then\n\t\tAC_CHECK_FUNCS(\n\t\t [ \\\n\t\t\tENGINE_load_builtin_engines \\\n\t\t\tENGINE_register_all_complete \\\n\t\t ],\n\t\t ,\n\t\t [have_openssl_engine=\"no\"; break]\n\t\t)\n\t fi\n\telse\n\t have_openssl_engine=\"${with_openssl_engine}\"\n\t if test \"${have_openssl_engine}\" = \"yes\"; then\n\t\tAC_CHECK_FUNCS(\n\t\t [ \\\n\t\t\tENGINE_load_builtin_engines \\\n\t\t\tENGINE_register_all_complete \\\n\t\t ],\n\t\t ,\n\t\t [AC_MSG_ERROR([OpenSSL engine support not found])]\n\t\t)\n\t fi\n\tfi\n\tif test \"${have_openssl_engine}\" = \"yes\"; then\n\t\tAC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available])\n\tfi\n\n\tAC_CHECK_FUNC(\n\t\t[EVP_aes_256_gcm],\n\t\t,\n\t\t[AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]\n\t)\n\n\tCFLAGS=\"${saved_CFLAGS}\"\n\tLIBS=\"${saved_LIBS}\"\n\n\tAC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library])\n\tCRYPTO_CFLAGS=\"${OPENSSL_CFLAGS}\"\n\tCRYPTO_LIBS=\"${OPENSSL_LIBS}\"\nelif test \"${with_crypto_library}\" = \"mbedtls\"; then\n\tAC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbedtls])\n\tAC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbedtls])\n\n\tsaved_CFLAGS=\"${CFLAGS}\"\n\tsaved_LIBS=\"${LIBS}\"\n\n\tif test -z \"${MBEDTLS_CFLAGS}\" -a -z \"${MBEDTLS_LIBS}\"; then\n\t\t# if the user did not explicitly specify flags, try to autodetect\n\t\tPKG_CHECK_MODULES([MBEDTLS],\n\t\t\t[mbedtls >= 3.2.1 mbedx509 >= 3.2.1 mbedcrypto >= 3.2.1],\n\t\t\t[have_mbedtls=\"yes\"],\n\t\t\t[LIBS=\"${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto\"]\n\t\t)\n\t\t# mbedtls might not have pkgconfig integration, so try manually\n if test \"${have_mbedtls}\" != \"yes\"; then\n\t\t\tAC_CHECK_LIB(\n\t\t\t\t[mbedtls],\n\t\t\t\t[mbedtls_ssl_init],\n\t\t\t\t[MBEDTLS_LIBS=\"-lmbedtls -lmbedx509 -lmbedcrypto\"],\n\t\t\t\t[AC_MSG_ERROR([Could not find mbed TLS.])],\n\t\t\t)\n\t\tfi\n\tfi\n\n\tCFLAGS=\"${MBEDTLS_CFLAGS} ${CFLAGS}\"\n\tLIBS=\"${MBEDTLS_LIBS} ${LIBS}\"\n\n\tAC_MSG_CHECKING([mbedtls version])\n\tAC_COMPILE_IFELSE(\n\t\t[AC_LANG_PROGRAM(\n\t\t\t[[\n#include \n\t\t\t]],\n\t\t\t[[\n#if MBEDTLS_VERSION_NUMBER < 0x03020100\n#error invalid version\n#endif\n\t\t\t]]\n\t\t)],\n\t\t[AC_MSG_RESULT([ok])],\n\t\t[AC_MSG_ERROR([mbed TLS version >= 3.2.1 required])]\n\t)\n\n\tAC_CHECK_HEADERS(psa/crypto.h)\n\n\tCFLAGS=\"${saved_CFLAGS}\"\n\tLIBS=\"${saved_LIBS}\"\n\tAC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])\n\tCRYPTO_CFLAGS=\"${MBEDTLS_CFLAGS}\"\n\tCRYPTO_LIBS=\"${MBEDTLS_LIBS}\"\n\nelif test \"${with_crypto_library}\" = \"wolfssl\"; then\n\tAC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should\n contain the regular wolfSSL header files but also the wolfSSL OpenSSL header files.\n Ex: -I/usr/local/include -I/usr/local/include/wolfssl])\n\tAC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])\n\n\tsaved_CFLAGS=\"${CFLAGS}\"\n\tsaved_LIBS=\"${LIBS}\"\n\n\tif test -z \"${WOLFSSL_CFLAGS}\" -a -z \"${WOLFSSL_LIBS}\"; then\n\t\t# if the user did not explicitly specify flags, try to autodetect\n\t\tPKG_CHECK_MODULES(\n\t\t\t[WOLFSSL],\n\t\t\t[wolfssl],\n\t\t\t[],\n\t\t\t[AC_MSG_ERROR([Could not find wolfSSL using pkg-config ${pkg_config_found}])]\n\t\t)\n\t\tPKG_CHECK_VAR(\n\t\t\t[WOLFSSL_INCLUDEDIR],\n\t\t\t[wolfssl],\n\t\t\t[includedir],\n\t\t\t[],\n\t\t\t[AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]\n\t\t)\n\t\tWOLFSSL_CFLAGS=\"${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl\"\n\tfi\n\tsaved_CFLAGS=\"${CFLAGS}\"\n\tsaved_LIBS=\"${LIBS}\"\n\tCFLAGS=\"${CFLAGS} ${WOLFSSL_CFLAGS}\"\n\tLIBS=\"${LIBS} ${WOLFSSL_LIBS}\"\n\n\tAC_CHECK_LIB(\n\t\t[wolfssl],\n\t\t[wolfSSL_Init],\n\t\t[],\n\t\t[AC_MSG_ERROR([Could not link wolfSSL library.])]\n\t)\n\tAC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])\n\n\tif test \"${enable_wolfssl_options_h}\" = \"yes\"; then\n\t\tAC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])\n\telse\n\t\tAC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])\n\tfi\n\n\tCFLAGS=\"${saved_CFLAGS}\"\n\tLIBS=\"${saved_LIBS}\"\n\n\tAC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])\n\tAC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])\n\tCRYPTO_CFLAGS=\"${WOLFSSL_CFLAGS}\"\n\tCRYPTO_LIBS=\"${WOLFSSL_LIBS}\"\nelse\n\tAC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])\nfi\n\nAC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo])\nAC_ARG_VAR([LZO_LIBS], [linker flags for lzo])\nif test -z \"${LZO_CFLAGS}\" -a -z \"${LZO_LIBS}\"; then\n # if the user did not explicitly specify flags, try to autodetect\n PKG_CHECK_MODULES([LZO],\n\t\t[lzo2],\n\t\t[have_lzo=\"yes\"],\n\t\t[]\n )\n\n if test \"${have_lzo}\" != \"yes\"; then\n\t# try to detect without pkg-config\n\thave_lzo=\"yes\"\n\tAC_CHECK_LIB(\n\t\t[lzo2],\n\t\t[lzo1x_1_15_compress],\n\t\t[LZO_LIBS=\"-llzo2\"],\n\t\t[AC_CHECK_LIB(\n\t\t\t[lzo],\n\t\t\t[lzo1x_1_15_compress],\n\t\t\t[LZO_LIBS=\"-llzo\"],\n\t\t\t[have_lzo=\"no\"]\n\t\t)]\n\t)\n fi\nelse\n # assume the user configured it correctly\n have_lzo=\"yes\"\nfi\nif test \"${have_lzo}\" = \"yes\"; then\n\tsaved_CFLAGS=\"${CFLAGS}\"\n\tCFLAGS=\"${CFLAGS} ${LZO_CFLAGS}\"\n\tAC_CHECK_HEADERS(\n\t\t[lzo/lzo1x.h],\n\t\t,\n\t\t[AC_CHECK_HEADERS(\n\t\t\t[lzo1x.h],\n\t\t\t,\n\t\t\t[AC_MSG_ERROR([lzo1x.h is missing])],\n [#include \n #include \n #include ]\n\t\t)],\n\t)\n\tCFLAGS=\"${saved_CFLAGS}\"\nfi\n\ndnl\ndnl check for LZ4 library\ndnl\n\nAC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])\nAC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])\nif test \"$enable_lz4\" = \"yes\" && test \"$enable_comp_stub\" = \"no\"; then\n if test -z \"${LZ4_CFLAGS}\" -a -z \"${LZ4_LIBS}\"; then\n\t# if the user did not explicitly specify flags, try to autodetect\n\tPKG_CHECK_MODULES([LZ4],\n\t\t\t [liblz4 >= 1.7.1 liblz4 < 100],\n\t\t\t [have_lz4=\"yes\"],\n\t\t\t [LZ4_LIBS=\"-llz4\"] # If this fails, we will do another test next.\n\t\t\t\t\t # We also add set LZ4_LIBS otherwise the\n\t\t\t\t\t # linker will not know about the lz4 library\n\t)\n fi\n\n saved_CFLAGS=\"${CFLAGS}\"\n saved_LIBS=\"${LIBS}\"\n CFLAGS=\"${CFLAGS} ${LZ4_CFLAGS}\"\n LIBS=\"${LIBS} ${LZ4_LIBS}\"\n\n # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars\n # are used, check the version directly in the LZ4 include file\n if test \"${have_lz4}\" != \"yes\"; then\n\tAC_CHECK_HEADERS([lz4.h],\n\t\t\t [have_lz4h=\"yes\"],\n\t\t\t [])\n\n\tif test \"${have_lz4h}\" = \"yes\" ; then\n\t AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])\n\t AC_COMPILE_IFELSE(\n\t\t[AC_LANG_PROGRAM([[\n#include \n\t\t\t\t ]],\n\t\t\t\t [[\n/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */\n#if LZ4_VERSION_NUMBER < 10701L\n#error LZ4 is too old\n#endif\n\t\t\t\t ]]\n\t\t\t\t)],\n\t\t[\n\t\t AC_MSG_RESULT([ok])\n\t\t have_lz4=\"yes\"\n\t\t],\n\t\t[AC_MSG_ERROR([system LZ4 library is too old])]\n\t )\n\tfi\n fi\n\n # Double check we have a few needed functions\n if test \"${have_lz4}\" = \"yes\" ; then\n\tAC_CHECK_LIB([lz4],\n\t\t [LZ4_compress_default],\n\t\t [],\n\t\t [have_lz4=\"no\"])\n\tAC_CHECK_LIB([lz4],\n\t\t [LZ4_decompress_safe],\n\t\t [],\n\t\t [have_lz4=\"no\"])\n fi\n\n if test \"${have_lz4}\" != \"yes\" ; then\n\tAC_MSG_ERROR([No compatible LZ4 compression library found. Consider --disable-lz4])\n\tLZ4_LIBS=\"\"\n fi\n OPTIONAL_LZ4_CFLAGS=\"${LZ4_CFLAGS}\"\n OPTIONAL_LZ4_LIBS=\"${LZ4_LIBS}\"\n AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])\n CFLAGS=\"${saved_CFLAGS}\"\n LIBS=\"${saved_LIBS}\"\nfi\n\n\ndnl\ndnl Check for systemd\ndnl\nAM_CONDITIONAL([ENABLE_SYSTEMD], [test \"${enable_systemd}\" = \"yes\"])\nif test \"$enable_systemd\" = \"yes\" ; then\n PKG_CHECK_MODULES([libsystemd], [libsystemd > 216],\n [],\n [AC_MSG_ERROR([systemd enabled but libsystemd is missing])]\n )\n\n OPTIONAL_SYSTEMD_CFLAGS=\"${libsystemd_CFLAGS}\"\n OPTIONAL_SYSTEMD_LIBS=\"${libsystemd_LIBS}\"\n AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration])\n\n if test -n \"${SYSTEMD_UNIT_DIR}\"; then\n systemdunitdir=\"${SYSTEMD_UNIT_DIR}\"\n else\n systemdunitdir=\"\\${libdir}/systemd/system\"\n fi\n\n if test -n \"${TMPFILES_DIR}\"; then\n tmpfilesdir=\"${TMPFILES_DIR}\"\n else\n tmpfilesdir=\"\\${libdir}/tmpfiles.d\"\n fi\nfi\n\n\nAC_MSG_CHECKING([git checkout])\nGIT_CHECKOUT=\"no\"\nif test -n \"${GIT}\"; then\n\tif ${GIT} -C \"$srcdir\" rev-parse --is-inside-work-tree >/dev/null 2>&1; then\n\t\tAC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h])\n\t\tGIT_CHECKOUT=\"yes\"\n\tfi\nfi\nAC_MSG_RESULT([${GIT_CHECKOUT}])\n\ntest \"${enable_management}\" = \"yes\" && AC_DEFINE([ENABLE_MANAGEMENT], [1], [Enable management server capability])\ntest \"${enable_debug}\" = \"yes\" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debugging support])\ntest \"${enable_small}\" = \"yes\" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size])\ntest \"${enable_fragment}\" = \"yes\" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support])\ntest \"${enable_port_share}\" = \"yes\" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing])\ntest \"${enable_dns_updown_by_default}\" = \"yes\" && AC_DEFINE([ENABLE_DNS_UPDOWN_BY_DEFAULT], [1], [Enable dns-updown hook by default])\ntest \"${enable_crypto_ofb_cfb}\" = \"yes\" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])\nOPTIONAL_CRYPTO_CFLAGS=\"${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}\"\nOPTIONAL_CRYPTO_LIBS=\"${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}\"\n\nif test \"${enable_plugins}\" = \"yes\"; then\n\tOPTIONAL_DL_LIBS=\"${DL_LIBS}\"\n\tAC_DEFINE([ENABLE_PLUGIN], [1], [Enable plug-in support])\nelse\n\tenable_plugin_auth_pam=\"no\"\n\tenable_plugin_down_root=\"no\"\nfi\n\nAM_CONDITIONAL([HAVE_SITNL], [false])\n\nif test \"${enable_iproute2}\" = \"yes\"; then\n\ttest \"${enable_dco}\" = \"yes\" && AC_MSG_ERROR([iproute2 support cannot be enabled when using DCO])\n\ttest -z \"${IPROUTE}\" && AC_MSG_ERROR([ip utility is required but missing])\n\tAC_DEFINE([ENABLE_IPROUTE], [1], [enable iproute2 support])\nelse if test \"${have_sitnl}\" = \"yes\"; then\n\tAC_DEFINE([ENABLE_SITNL], [1], [enable sitnl support])\n\tAM_CONDITIONAL([HAVE_SITNL], [true])\nelse if test \"${WIN32}\" != \"yes\" -a \"${have_sitnl}\" != \"yes\"; then\n\ttest -z \"${ROUTE}\" && AC_MSG_ERROR([route utility is required but missing])\n\ttest -z \"${IFCONFIG}\" && AC_MSG_ERROR([ifconfig utility is required but missing])\nfi\nfi\nfi\n\nif test \"${enable_selinux}\" = \"yes\"; then\n\ttest -z \"${SELINUX_LIBS}\" && AC_MSG_ERROR([libselinux required but missing])\n\tOPTIONAL_SELINUX_LIBS=\"${SELINUX_LIBS}\"\n\tAC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])\nfi\n\nif test \"${enable_lzo}\" = \"yes\"; then\n\ttest \"${have_lzo}\" != \"yes\" && AC_MSG_ERROR([lzo enabled but missing])\n\tOPTIONAL_LZO_CFLAGS=\"${LZO_CFLAGS}\"\n\tOPTIONAL_LZO_LIBS=\"${LZO_LIBS}\"\n\tAC_DEFINE([ENABLE_LZO], [1], [Enable LZO compression library])\nfi\nif test \"${enable_comp_stub}\" = \"yes\"; then\n\ttest \"${enable_lzo}\" = \"yes\" && AC_MSG_ERROR([Cannot have both comp stub and lzo enabled (use --disable-lzo)])\n\ttest \"${enable_lz4}\" = \"yes\" && AC_MSG_ERROR([Cannot have both comp stub and LZ4 enabled (use --disable-lz4)])\n\tAC_DEFINE([ENABLE_COMP_STUB], [1], [Enable compression stub capability])\nfi\n\nAM_CONDITIONAL([HAVE_SOFTHSM2], [false])\nif test \"${enable_pkcs11}\" = \"yes\"; then\n\tPKG_CHECK_MODULES(\n\t\t[PKCS11_HELPER],\n\t\t[libpkcs11-helper-1 >= 1.11],\n\t\t[have_pkcs11_helper=\"yes\"],\n\t\t[AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])]\n\t)\n\tOPTIONAL_PKCS11_HELPER_CFLAGS=\"${PKCS11_HELPER_CFLAGS}\"\n\tOPTIONAL_PKCS11_HELPER_LIBS=\"${PKCS11_HELPER_LIBS}\"\n\tAC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])\n\tPKG_CHECK_MODULES(\n\t\t[P11KIT],\n\t\t[p11-kit-1],\n\t\t[proxy_module=\"`$PKG_CONFIG --variable=proxy_module p11-kit-1`\"\n\t\t AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], \"${proxy_module}\", [p11-kit proxy])],\n\t\t[]\n\t)\n\t#\n\t# softhsm2 for pkcs11 tests\n\t#\n\tAC_ARG_VAR([P11TOOL], [full path to p11tool])\n\tAC_PATH_PROGS([P11TOOL], [p11tool],, [$PATH:/usr/local/bin:/usr/bin:/bin])\n\tAC_DEFINE_UNQUOTED([P11TOOL_PATH], [\"$P11TOOL\"], [Path to p11tool])\n\tAC_ARG_VAR([SOFTHSM2_UTIL], [full path to softhsm2-util])\n\tAC_ARG_VAR([SOFTHSM2_MODULE], [full path to softhsm2 module @<:@default=/usr/lib/softhsm/libsofthsm2.so@:>@])\n\tAC_PATH_PROGS([SOFTHSM2_UTIL], [softhsm2-util],, [$PATH:/usr/local/bin:/usr/bin:/bin])\n\ttest -z \"$SOFTHSM2_MODULE\" && SOFTHSM2_MODULE=/usr/lib/softhsm/libsofthsm2.so\n\tAC_DEFINE_UNQUOTED([SOFTHSM2_UTIL_PATH], [\"$SOFTHSM2_UTIL\"], [Path to softhsm2-util])\n\tAC_DEFINE_UNQUOTED([SOFTHSM2_MODULE_PATH], [\"$SOFTHSM2_MODULE\"], [Path to softhsm2 module])\n\tif test \"${with_crypto_library}\" = \"openssl\"; then\n\t\tAM_CONDITIONAL([HAVE_SOFTHSM2], [test \"${P11TOOL}\" -a \"${SOFTHSM2_UTIL}\" -a \"${SOFTHSM2_MODULE}\"])\n\tfi\nfi\n\n# When testing a compiler option, we add -Werror to force\n# an error when the option is unsupported. This is not\n# required for gcc, but some compilers such as clang need it.\nAC_DEFUN([ACL_CHECK_ADD_COMPILE_FLAGS], [\n old_cflags=\"$CFLAGS\"\n CFLAGS=\"-Werror $CFLAGS $1\"\n AC_MSG_CHECKING([whether the compiler accepts $1])\n AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], [AC_MSG_RESULT([yes])]; CFLAGS=\"$old_cflags $1\",\n [AC_MSG_RESULT([no]); CFLAGS=\"$old_cflags\"])]\n)\n\nACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation])\nACL_CHECK_ADD_COMPILE_FLAGS([-Wstrict-prototypes])\nACL_CHECK_ADD_COMPILE_FLAGS([-Wold-style-definition])\nACL_CHECK_ADD_COMPILE_FLAGS([-Wconversion -Wno-sign-conversion])\nACL_CHECK_ADD_COMPILE_FLAGS([-Wall])\nACL_CHECK_ADD_COMPILE_FLAGS([-Wextra -Wno-unused-parameter])\n# clang doesn't have the different levels but also doesn't include it in -Wextra\nACL_CHECK_ADD_COMPILE_FLAGS([-Wimplicit-fallthrough=2])\nif test \"${WIN32}\" = \"yes\"; then\n # Not sure how to deal with GetProcAddress\n\tACL_CHECK_ADD_COMPILE_FLAGS([-Wno-cast-function-type])\nfi\n\nif test \"${enable_pedantic}\" = \"yes\"; then\n\tenable_strict=\"yes\"\n\tCFLAGS=\"${CFLAGS} -pedantic\"\n\tAC_DEFINE([PEDANTIC], [1], [Enable pedantic mode])\nfi\nif test \"${enable_strict}\" = \"yes\"; then\n\tCFLAGS=\"${CFLAGS} -Wsign-compare -Wuninitialized\"\nfi\nif test \"${enable_werror}\" = \"yes\"; then\n\tCFLAGS=\"${CFLAGS} -Werror\"\nfi\n\nif test \"${enable_plugin_auth_pam}\" = \"yes\"; then\n\tPLUGIN_AUTH_PAM_CFLAGS=\"${LIBPAM_CFLAGS}\"\n\tif test \"${enable_pam_dlopen}\" = \"yes\"; then\n\t\tAC_DEFINE([USE_PAM_DLOPEN], [1], [dlopen libpam])\n\t\tPLUGIN_AUTH_PAM_LIBS=\"${DL_LIBS}\"\n\telse\n\t\ttest -z \"${LIBPAM_LIBS}\" && AC_MSG_ERROR([libpam required but missing])\n\t\tPLUGIN_AUTH_PAM_LIBS=\"${LIBPAM_LIBS}\"\n\tfi\nfi\n\nif test \"${enable_async_push}\" = \"yes\"; then\n\tcase \"$host\" in\n\t\t*-*-freebsd1[[0-4]]*)\n\t\t\tPKG_CHECK_MODULES(\n\t\t\t\t[OPTIONAL_INOTIFY],\n\t\t\t\t[libinotify],\n\t\t\t\t[\n\t\t\t\t\tAC_DEFINE([HAVE_SYS_INOTIFY_H])\n\t\t\t\t\tAC_DEFINE([ENABLE_ASYNC_PUSH], [1], [Enable async push])\n\t\t\t\t]\n\t\t\t)\n\t\t;;\n\t\t*)\n\t\t\tAC_CHECK_HEADERS(\n\t\t\t\t[sys/inotify.h],\n\t\t\t\tAC_DEFINE([ENABLE_ASYNC_PUSH], [1], [Enable async push]),\n\t\t\t\tAC_MSG_ERROR([inotify.h not found.])\n\t\t\t)\n\t\t;;\n\tesac\nfi\n\nCONFIGURE_DEFINES=\"`set | grep '^enable_.*=' ; set | grep '^with_.*='`\"\nAC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], [\"`echo ${CONFIGURE_DEFINES}`\"], [Configuration settings])\n\nTAP_WIN_COMPONENT_ID=\"PRODUCT_TAP_WIN_COMPONENT_ID\"\nTAP_WIN_MIN_MAJOR=\"PRODUCT_TAP_WIN_MIN_MAJOR\"\nTAP_WIN_MIN_MINOR=\"PRODUCT_TAP_WIN_MIN_MINOR\"\nAC_DEFINE_UNQUOTED([TAP_WIN_COMPONENT_ID], [\"${TAP_WIN_COMPONENT_ID}\"], [The tap-windows id])\nAC_DEFINE_UNQUOTED([TAP_WIN_MIN_MAJOR], [${TAP_WIN_MIN_MAJOR}], [The tap-windows version number is required for OpenVPN])\nAC_DEFINE_UNQUOTED([TAP_WIN_MIN_MINOR], [${TAP_WIN_MIN_MINOR}], [The tap-windows version number is required for OpenVPN])\nAC_SUBST([TAP_WIN_COMPONENT_ID])\nAC_SUBST([TAP_WIN_MIN_MAJOR])\nAC_SUBST([TAP_WIN_MIN_MINOR])\n\nAC_SUBST([OPTIONAL_DL_LIBS])\nAC_SUBST([OPTIONAL_SELINUX_LIBS])\nAC_SUBST([OPTIONAL_CRYPTO_CFLAGS])\nAC_SUBST([OPTIONAL_CRYPTO_LIBS])\nAC_SUBST([OPTIONAL_LIBCAPNG_CFLAGS])\nAC_SUBST([OPTIONAL_LIBCAPNG_LIBS])\nAC_SUBST([OPTIONAL_LIBNL_GENL_CFLAGS])\nAC_SUBST([OPTIONAL_LIBNL_GENL_LIBS])\nAC_SUBST([OPTIONAL_LZO_CFLAGS])\nAC_SUBST([OPTIONAL_LZO_LIBS])\nAC_SUBST([OPTIONAL_LZ4_CFLAGS])\nAC_SUBST([OPTIONAL_LZ4_LIBS])\nAC_SUBST([OPTIONAL_SYSTEMD_CFLAGS])\nAC_SUBST([OPTIONAL_SYSTEMD_LIBS])\nAC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])\nAC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])\nAC_SUBST([OPTIONAL_INOTIFY_CFLAGS])\nAC_SUBST([OPTIONAL_INOTIFY_LIBS])\n\nAC_SUBST([PLUGIN_AUTH_PAM_CFLAGS])\nAC_SUBST([PLUGIN_AUTH_PAM_LIBS])\n\nAM_CONDITIONAL([WIN32], [test \"${WIN32}\" = \"yes\"])\nAM_CONDITIONAL([GIT_CHECKOUT], [test \"${GIT_CHECKOUT}\" = \"yes\"])\nAM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test \"${enable_plugin_auth_pam}\" = \"yes\"])\nAM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test \"${enable_plugin_down_root}\" = \"yes\"])\nAM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test \"${have_ld_wrap_support}\" = \"yes\"])\nAM_CONDITIONAL([OPENSSL_ENGINE], [test \"${have_openssl_engine}\" = \"yes\"])\n\nsampledir=\"\\$(docdir)/sample\"\nAC_SUBST([plugindir])\nAC_SUBST([scriptdir])\nAC_SUBST([sampledir])\n\nAC_SUBST([systemdunitdir])\nAC_SUBST([tmpfilesdir])\n\nAC_ARG_ENABLE(\n [unit-tests],\n [AS_HELP_STRING([--disable-unit-tests],\n [Disables building and running the unit tests suite])],\n [],\n [enable_unit_tests=\"yes\"]\n)\n\n# Check if cmocka is available - needed for unit testing\nPKG_CHECK_MODULES(\n\t[CMOCKA], [cmocka],\n\t[have_cmocka=\"yes\"],\n\t[AC_MSG_WARN([cmocka.pc not found on the system using pkg-config ${pkg_config_found}. Unit tests disabled])]\n)\nAM_CONDITIONAL([ENABLE_UNITTESTS], [false])\nif test \"${enable_unit_tests}\" = \"yes\" -a \"${have_cmocka}\" = \"yes\"; then\n AM_CONDITIONAL([ENABLE_UNITTESTS], [true])\n\n saved_CFLAGS=\"${CFLAGS}\"\n CFLAGS=\"${CFLAGS} ${CMOCKA_CFLAGS}\"\n # detect cmocka < 2.0.0 that had no cmocka_version.h\n AC_CHECK_HEADERS([cmocka_version.h])\n CFLAGS=\"${saved_CFLAGS}\"\nfi\nAC_SUBST([ENABLE_UNITTESTS])\n\nTEST_LDFLAGS=\"${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS} ${OPTIONAL_LIBCAPNG_LIBS}\"\nTEST_LDFLAGS=\"${TEST_LDFLAGS} ${OPTIONAL_LIBNL_GENL_LIBS}\"\nTEST_LDFLAGS=\"${TEST_LDFLAGS} ${OPTIONAL_LZO_LIBS} ${CMOCKA_LIBS}\"\nTEST_CFLAGS=\"${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS} ${OPTIONAL_LIBCAPNG_CFLAGS}\"\nTEST_CFLAGS=\"${TEST_CFLAGS} ${OPTIONAL_LIBNL_GENL_CFLAGS} ${OPTIONAL_LZO_CFLAGS}\"\nTEST_CFLAGS=\"${TEST_CFLAGS} -I\\$(top_srcdir)/include ${CMOCKA_CFLAGS}\"\n\nAC_SUBST([TEST_LDFLAGS])\nAC_SUBST([TEST_CFLAGS])\n\nAC_CONFIG_FILES([\n\tMakefile\n\tdistro/Makefile\n\tdistro/systemd/Makefile\n\tdistro/dns-scripts/Makefile\n\tdoc/Makefile\n\tdoc/doxygen/Makefile\n\tdoc/doxygen/openvpn.doxyfile\n\tinclude/Makefile\n\tsample/sample-plugins/Makefile\n\tsrc/Makefile\n\tsrc/compat/Makefile\n\tsrc/openvpn/Makefile\n\tsrc/openvpnmsica/Makefile\n\tsrc/openvpnserv/Makefile\n\tsrc/plugins/Makefile\n\tsrc/plugins/auth-pam/Makefile\n\tsrc/plugins/down-root/Makefile\n\tsrc/tapctl/Makefile\n\ttests/Makefile\n tests/unit_tests/Makefile\n tests/unit_tests/example_test/Makefile\n tests/unit_tests/openvpn/Makefile\n tests/unit_tests/openvpnserv/Makefile\n tests/unit_tests/plugins/Makefile\n tests/unit_tests/plugins/auth-pam/Makefile\n\tsample/Makefile\n])\nAC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh])\nAC_OUTPUT\n" }, { "path": "contrib/OCSP_check/OCSP_check.sh", "content": "#!/bin/sh\n\n# Sample script to perform OCSP queries with OpenSSL\n# given a certificate serial number.\n\n# If you run your own CA, you can set up a very simple\n# OCSP server using the -port option to \"openssl ocsp\".\n\n# Full documentation and examples:\n# https://docs.openssl.org/master/man1/openssl-ocsp/#openssl-ocsp\n\n\n# Edit the following values to suit your needs\n\n# OCSP responder URL (mandatory)\n# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER\n#ocsp_url=\"http://ocsp.example.com/\"\n#ocsp_url=\"https://ocsp.secure.example.com/\"\n\n# Path to issuer certificate (mandatory)\n# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE\nissuer=\"/path/to/CAcert.crt\"\n\n# use a nonce in the query, set to \"-no_nonce\" to not use it\nnonce=\"-nonce\"\n\n# Verify the response\n# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT\nverify=\"/path/to/CAcert.crt\"\n\n# Depth in the certificate chain where the cert to verify is.\n# Set to -1 to run the verification at every level (NOTE that\n# in that case you need a more complex script as the various\n# parameters for the query will likely be different at each level)\n# \"0\" is the usual value here, where the client certificate is\ncheck_depth=0\n\ncur_depth=$1 # this is the *CURRENT* depth\ncommon_name=$2 # CN in case you need it\n\n# minimal sanity checks\n\nerr=0\nif [ -z \"$issuer\" ] || [ ! -e \"$issuer\" ]; then\n echo \"Error: issuer certificate undefined or not found!\" >&2\n err=1\nfi\n\nif [ -z \"$verify\" ] || [ ! -e \"$verify\" ]; then\n echo \"Error: verification certificate undefined or not found!\" >&2\n err=1\nfi\n\nif [ -z \"$ocsp_url\" ]; then\n echo \"Error: OCSP server URL not defined!\" >&2\n err=1\nfi\n\nif [ $err -eq 1 ]; then\n echo \"Did you forget to customize the variables in the script?\" >&2\n exit 1\nfi\n\n# begin\nif [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then\n\n eval serial=\"\\$tls_serial_${cur_depth}\"\n\n # To successfully complete, the following must happen:\n #\n # - The serial number must not be empty\n # - The exit status of \"openssl ocsp\" must be zero\n # - The output of the above command must contain the line\n # \"${serial}: good\"\n #\n # Everything else fails with exit status 1.\n\n if [ -n \"$serial\" ]; then\n\n # This is only an example; you are encouraged to run this command (without\n # redirections) manually against your or your CA's OCSP server to see how\n # it responds, and adapt accordingly.\n # Sample output that is assumed here:\n #\n # Response verify OK\n # 4287405: good\n # This Update: Apr 24 19:38:49 2010 GMT\n # Next Update: May 2 14:23:42 2010 GMT\n #\n # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL\n # can in some circumstances give a \"good\" result if it could not\n # reach the OSCP server. In this case, the exit code will indicate\n # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0,\n # don't trust the OpenSSL status.\n\n status=$(openssl ocsp -issuer \"$issuer\" \\\n \"$nonce\" \\\n -CAfile \"$verify\" \\\n -url \"$ocsp_url\" \\\n -serial \"${serial}\" 2>&1)\n\n if [ $? -eq 0 ]; then\n # check if ocsp didn't report any errors\n if echo \"$status\" | grep -Eq \"(error|fail)\"; then\n exit 1\n fi\n # check that the reported status of certificate is ok\n if echo \"$status\" | grep -Eq \"^${serial}: good\"; then\n # check if signature on the OCSP response verified correctly\n if echo \"$status\" | grep -Eq \"^Response verify OK\"; then\n exit 0\n fi\n fi\n fi\n fi\n # if we get here, something was wrong\n exit 1\nfi\n" }, { "path": "contrib/README", "content": "This directory contains scripts and patches contributed\nby users.\n" }, { "path": "contrib/cmake/git-version.py", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2022-2026 OpenVPN Inc \n# Copyright (C) 2022-2022 Lev Stipakov \n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License along\n# with this program; if not, see .\n#\n\n# Usage: ./git-version.py [directory]\n# Find a good textual representation of the git commit currently checked out.\n# Make that representation available as CONFIGURE_GIT_REVISION in\n# /config-version.h.\n# It will prefer a tag name if it is checked out exactly, otherwise will use\n# the branch name. 'none' if no branch is checked out (detached HEAD).\n# This is used to enhance the output of openvpn --version with Git information.\n\nimport os\nimport sys\nimport subprocess\n\ndef run_command(args):\n sp = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)\n o, _ = sp.communicate()\n return o.decode(\"utf-8\")[:-1]\n\ndef get_branch_commit_id():\n commit_id = run_command([\"git\", \"rev-parse\", \"--short=16\", \"HEAD\"])\n if not commit_id:\n raise\n branch = run_command([\"git\", \"describe\", \"--exact-match\"])\n if not branch:\n # this returns an array like [\"master\"] or [\"release\", \"2.6\"]\n branch = run_command([\"git\", \"rev-parse\", \"--symbolic-full-name\", \"HEAD\"]).split(\"/\")[2:]\n if not branch:\n branch = [\"none\"]\n branch = \"/\" .join(branch) # handle cases like release/2.6\n\n return branch, commit_id\n\ndef main():\n try:\n branch, commit_id = get_branch_commit_id()\n except:\n branch, commit_id = \"unknown\", \"unknown\"\n\n prev_content = \"\"\n\n name = os.path.join(\"%s\" % (sys.argv[1] if len(sys.argv) > 1 else \".\"), \"config-version.h\")\n try:\n with open(name, \"r\") as f:\n prev_content = f.read()\n except:\n # file doesn't exist\n pass\n\n content = \"#define CONFIGURE_GIT_REVISION \\\"%s/%s\\\"\\n\" % (branch, commit_id)\n content += \"#define CONFIGURE_GIT_FLAGS \\\"\\\"\\n\"\n\n if prev_content != content:\n print(\"Writing %s\" % name)\n with open(name, \"w\") as f:\n f.write(content)\n else:\n print(\"Content of %s hasn't changed\" % name)\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "contrib/cmake/parse-version.m4.py", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2022-2026 OpenVPN Inc \n# Copyright (C) 2022-2022 Lev Stipakov \n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License along\n# with this program; if not, see .\n#\n\n# Usage: ./parse-version.m4.py m4file [directory]\n# Read , extract all lines looking like M4 define(), and translate\n# them into CMake style set(). Those are then written out to file\n# /version.cmake.\n# Intended to be used on top-level version.m4 file.\n\nimport os\nimport re\nimport sys\n\ndef main():\n assert len(sys.argv) > 1\n version_path = sys.argv[1]\n output = []\n with open(version_path, 'r') as version_file:\n for line in version_file:\n match = re.match(r'[ \\t]*define\\(\\[(.*)\\],[ \\t]*\\[(.*)\\]\\)[ \\t]*', line)\n if match is not None:\n output.append(match.expand(r'set(\\1 \\2)'))\n out_path = os.path.join(\"%s\" % (sys.argv[2] if len(sys.argv) > 2 else \".\"), \"version.cmake\")\n\n prev_content = \"\"\n try:\n with open(out_path, \"r\") as out_file:\n prev_content = out_file.read()\n except:\n # file doesn't exist\n pass\n\n content = \"\\n\".join(output) + \"\\n\"\n if prev_content != content:\n print(\"Writing %s\" % out_path)\n with open(out_path, \"w\") as out_file:\n out_file.write(content)\n else:\n print(\"Content of %s hasn't changed\" % out_path)\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "contrib/extract-crl/extractcrl.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n'''\nHelper script for CRL (certificate revocation list) file extraction\nto a directory containing files named as decimal serial numbers of\nthe revoked certificates, to be used with OpenVPN CRL directory\nverify mode. To enable this mode, directory and 'dir' flag needs to\nbe specified as parameters of '--crl-verify' option.\nFor more information refer OpenVPN tls-options.rst.\n\nUsage example:\n extractcrl.py -f pem /path/to/crl.pem /path/to/outdir\n extractcrl.py -f der /path/to/crl.crl /path/to/outdir\n cat /path/to/crl.pem | extractcrl.py -f pem - /path/to/outdir\n cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir\n\nOutput example:\n Loaded: 309797 revoked certs in 4.136s\n Scanned: 312006 files in 0.61s\n Created: 475 files in 0.05s\n Removed: 2684 files in 0.116s\n'''\n\nimport argparse\nimport os\nimport sys\nimport time\nfrom subprocess import check_output\n\nFILETYPE_PEM = 'PEM'\nFILETYPE_DER = 'DER'\n\ndef measure_time(method):\n def elapsed(*args, **kwargs):\n start = time.time()\n result = method(*args, **kwargs)\n return result, round(time.time() - start, 3)\n return elapsed\n\n@measure_time\ndef load_crl(filename, format):\n\n def try_openssl_module(filename, format):\n from cryptography import x509\n load_crl_functions = {\n FILETYPE_PEM: x509.load_pem_x509_crl,\n FILETYPE_DER: x509.load_der_x509_crl\n }\n if filename == '-':\n crl = load_crl_functions[format](sys.stdin.buffer.read())\n else:\n with open(filename, 'rb') as f:\n crl = load_crl_functions[format](f.read())\n return set(r.serial_number for r in crl)\n\n def try_openssl_exec(filename, format):\n args = ['openssl', 'crl', '-inform', format, '-text']\n if filename != '-':\n args += ['-in', filename]\n serials = set()\n for line in check_output(args, universal_newlines=True).splitlines():\n _, _, serial = line.partition('Serial Number:')\n if serial:\n serials.add(int(serial.strip(), 16))\n return serials\n\n try:\n return try_openssl_module(filename, format)\n except ImportError:\n return try_openssl_exec(filename, format)\n\n@measure_time\ndef scan_dir(dirname):\n _, _, files = next(os.walk(dirname))\n return set(int(f) for f in files if f.isdigit())\n\n@measure_time\ndef create_new_files(dirname, newset, oldset):\n addset = newset.difference(oldset)\n for serial in addset:\n try:\n with open(os.path.join(dirname, str(serial)), 'xb'): pass\n except FileExistsError:\n pass\n return addset\n\n@measure_time\ndef remove_old_files(dirname, newset, oldset):\n delset = oldset.difference(newset)\n for serial in delset:\n try:\n os.remove(os.path.join(dirname, str(serial)))\n except FileNotFoundError:\n pass\n return delset\n\ndef check_crlfile(arg):\n if arg == '-' or os.path.isfile(arg):\n return arg\n raise argparse.ArgumentTypeError('No such file \"{}\"'.format(arg))\n\ndef check_outdir(arg):\n if os.path.isdir(arg):\n return arg\n raise argparse.ArgumentTypeError('No such directory: \"{}\"'.format(arg))\n\ndef main():\n parser = argparse.ArgumentParser(description='OpenVPN CRL extractor')\n parser.add_argument('-f', '--format',\n type=str.upper,\n default=FILETYPE_PEM, choices=[FILETYPE_PEM, FILETYPE_DER],\n help='input CRL format - default {}'.format(FILETYPE_PEM)\n )\n parser.add_argument('crlfile', metavar='CRLFILE|-',\n type=lambda x: check_crlfile(x),\n help='input CRL file or \"-\" for stdin'\n )\n parser.add_argument('outdir', metavar='OUTDIR',\n type=lambda x: check_outdir(x),\n help='output directory for serials numbers'\n )\n args = parser.parse_args()\n\n certs, t = load_crl(args.crlfile, args.format)\n print('Loaded: {} revoked certs in {}s'.format(len(certs), t))\n\n files, t = scan_dir(args.outdir)\n print('Scanned: {} files in {}s'.format(len(files), t))\n\n created, t = create_new_files(args.outdir, certs, files)\n print('Created: {} files in {}s'.format(len(created), t))\n\n removed, t = remove_old_files(args.outdir, certs, files)\n print('Removed: {} files in {}s'.format(len(removed), t))\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "contrib/multilevel-init.patch", "content": "--- /etc/init.d/openvpn\t2004-05-12 20:30:06.000000000 +0200\n+++ openvpn\t2004-05-12 20:34:33.000000000 +0200\n@@ -58,13 +58,13 @@\n # returning success or failure status to caller (James Yonan).\n \n # Location of openvpn binary\n-openvpn=\"/usr/sbin/openvpn\"\n+openvpn=/usr/sbin/openvpn\n \n # Lockfile\n-lock=\"/var/lock/subsys/openvpn\"\n+lock=/var/lock/subsys/openvpn\n \n # PID directory\n-piddir=\"/var/run/openvpn\"\n+piddir=/var/run/openvpn\n \n # Our working directory\n work=/etc/openvpn\n@@ -106,7 +106,7 @@\n \n \tif [ -f $lock ]; then\n \t # we were not shut down correctly\n-\t for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do\n+\t for pidf in `find $piddir -name \"*.pid\" 2>/dev/null`; do\n \t if [ -s $pidf ]; then\n \t\tkill `cat $pidf` >/dev/null 2>&1\n \t fi\n@@ -116,12 +116,12 @@\n \t sleep 2\n \tfi\n \n-\trm -f $piddir/*.pid $piddir/*/*.pid\n+\tfind $piddir -name \"*.pid\"|xargs rm -f\n \n \t# Start every .conf in $work and run .sh if exists\n \terrors=0\n \tsuccesses=0\n-\tfor c in `/bin/ls *.conf */*.conf 2>/dev/null`; do\n+\tfor c in `find * -name \"*.conf\" 2>/dev/null`; do\n \t bn=${c%%.conf}\n \t if [ -f \"$bn.sh\" ]; then\n \t\t. $bn.sh\n@@ -147,7 +147,7 @@\n \t;;\n stop)\n \techo -n $\"Shutting down openvpn: \"\n-\tfor pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do\n+\tfor pidf in `find $piddir -name \"*.pid\" 2>/dev/null`; do\n \t if [ -s $pidf ]; then\n \t kill `cat $pidf` >/dev/null 2>&1\n \t fi\n@@ -163,7 +163,7 @@\n \t;;\n reload)\n \tif [ -f $lock ]; then\n-\t for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do\n+\t for pidf in `find $piddir -name \"*.pid\" 2>/dev/null`; do\n \t\tif [ -s $pidf ]; then\n \t\t kill -HUP `cat $pidf` >/dev/null 2>&1\n \t\tfi\n@@ -175,7 +175,7 @@\n \t;;\n reopen)\n \tif [ -f $lock ]; then\n-\t for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do\n+\t for pidf in `find $piddir -name \"*.pid\" 2>/dev/null`; do\n \t\tif [ -s $pidf ]; then\n \t\t kill -USR1 `cat $pidf` >/dev/null 2>&1\n \t\tfi\n@@ -195,7 +195,7 @@\n \t;;\n status)\n \tif [ -f $lock ]; then\n-\t for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do\n+\t for pidf in `find $piddir -name \"*.pid\" 2>/dev/null`; do\n \t\tif [ -s $pidf ]; then\n \t\t kill -USR2 `cat $pidf` >/dev/null 2>&1\n \t\tfi\n" }, { "path": "contrib/openvpn-fwmarkroute-1.00/README", "content": "OpenVPN fwmark Routing\nSean Reifschneider, \nThursday November 27, 2003\n==========================\n\nThese scripts can be used with OpenVPN up and down scripts to set up\nrouting on a Linux system such that the VPN traffic is sent via normal\nnetwork connectivity, but other traffic to that network runs over the VPN.\nThe idea is to allow encryption of data to the network the remote host is\non, without interfering with the VPN traffic. You can't simply add a route\nto the remote network, becaues that will cause the VPN traffic to also try\nto run over the VPN, and breaks the VPN.\n\nThese scripts use the Linux \"fwmark\" iptables rules to specify routing\nbased not only on IP address, but also by port and protocol. This allows\nyou to effectively say \"if the packet is to this IP address on this port\nusing this protocol, then use the normal default gateway, otherwise use the\nVPN gateway.\n\nThis is set up on the client VPN system, not the VPN server. These scripts\nalso set up all ICMP echo-responses to run across the VPN. You can\ncomment the lines in the scripts to disable this, but I find this useful\nat coffee shops which have networks that block ICMP.\n\nTo configure this, you need to set up these scripts as your up and down\nscripts in the config file. You will need to set these values in the\nconfig file:\n\n up /etc/openvpn/fwmarkroute.up\n down /etc/openvpn/fwmarkroute.down\n up-restart\n up-delay\n\n setenv remote_netmask_bits 24\n\nNote: For this to work, you can't set the \"user\" or \"group\" config options,\nbecause then the scripts will not run as root.\n\nThe last setting allows you to control the size of the network the remote\nsystem is on. The remote end has to be set up to route, probably with\nmasquerading or NAT. The network this netmask relates to is calculated\nusing the value of \"remote\" in the conf file.\n\nSean\n" }, { "path": "contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down", "content": "#!/bin/sh\n#\n# Bring down vpn routing.\n\n# calculate the network address\nremote_network=`ipcalc -n \"$remote\"/\"$remote_netmask_bits\"`\nremote_network=\"${remote_network#*=}\"\n\n# clear routing via VPN\nip route del \"$remote_network\"/\"$remote_netmask_bits\" via \"$5\" table vpn.out\nip route del table vpnonly.out via \"$5\"\niptables -D OUTPUT -t mangle -p \"$proto\" \\\n\t\t-d \"$remote_network\"/\"$remote_netmask_bits\" \\\n\t\t--dport \"$remote_port\" -j ACCEPT\niptables -D OUTPUT -t mangle -d \"$remote\" -j MARK --set-mark 2\n\n# undo the ICMP ping tunneling\niptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \\\n\t\t-j MARK --set-mark 3\n\n# flush route cache\nip route flush cache\n" }, { "path": "contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up", "content": "#!/bin/sh\n#\n# Bring up vpn routing.\n\n# calculate the network address\nremote_network=`ipcalc -n \"$remote\"/\"$remote_netmask_bits\"`\nremote_network=\"${remote_network#*=}\"\n\n# add the stuff that doesn't change if it's not already there\ngrep -q '^202 ' /etc/iproute2/rt_tables \nif [ \"$?\" -ne 0 ]\nthen\n\techo 202 vpn.out >> /etc/iproute2/rt_tables\nfi\ngrep -q '^203 ' /etc/iproute2/rt_tables \nif [ \"$?\" -ne 0 ]\nthen\n\techo 203 vpnonly.out >> /etc/iproute2/rt_tables\nfi\nip rule ls | grep -q 'lookup vpn.out *$'\nif [ \"$?\" -ne 0 ]\nthen\n\tip rule add fwmark 2 table vpn.out\nfi\nip rule ls | grep -q 'lookup vpnonly.out *$'\nif [ \"$?\" -ne 0 ]\nthen\n\tip rule add fwmark 3 table vpnonly.out\nfi\n\n# route VPN traffic using the normal table\niptables -A OUTPUT -t mangle -p \"$proto\" -d \"$remote\" --dport \"$remote_port\" \\\n\t\t-j ACCEPT\n\n# route all other traffic to that host via VPN\niptables -A OUTPUT -t mangle -d \"$remote_network\"/\"$remote_netmask_bits\" \\\n\t\t-j MARK --set-mark 2\n\n# route all ICMP pings over the VPN\niptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \\\n\t\t-j MARK --set-mark 3\n\n# NAT traffic going over the VPN, so it doesn't have an unknown address\niptables -t nat -A POSTROUTING -o \"$1\" -j SNAT --to-source \"$4\"\n\n# add routing commands\nip route add \"$remote_network\"/\"$remote_netmask_bits\" via \"$5\" table vpn.out\nip route add table vpnonly.out via \"$5\"\nip route flush cache\n" }, { "path": "contrib/vcpkg-manifests/mingw/vcpkg.json", "content": "{\n \"$schema\": \"https://raw.githubusercontent.com/microsoft/vcpkg/master/scripts/vcpkg.schema.json\",\n \"name\": \"openvpn\",\n \"version\": \"2.7\",\n \"dependencies\": [\n \"openssl\",\n \"tap-windows6\",\n \"lzo\",\n \"lz4\",\n \"pkcs11-helper\",\n \"cmocka\"\n ]\n}\n" }, { "path": "contrib/vcpkg-manifests/windows/vcpkg.json", "content": "{\n \"$schema\": \"https://raw.githubusercontent.com/microsoft/vcpkg/master/scripts/vcpkg.schema.json\",\n \"name\": \"openvpn\",\n \"version\": \"2.7\",\n \"dependencies\": [\n {\n \"name\": \"openssl\",\n \"features\": [\"tools\"]\n },\n \"tap-windows6\",\n \"lzo\",\n \"lz4\",\n \"pkcs11-helper\",\n \"cmocka\",\n {\n \"name\": \"pkgconf\",\n \"host\": true\n }\n ]\n}\n" }, { "path": "contrib/vcpkg-ports/pkcs11-helper/config-w32-vc.h.in-indicate-OpenSSL.patch", "content": "From c2293864de70fec322fe7e559055530ef56b9641 Mon Sep 17 00:00:00 2001\nFrom: Lev Stipakov \nDate: Tue, 11 Jan 2022 13:35:42 +0200\nSubject: [PATCH] config-w32-vc.h.in: indicate OpenSSL EC support\n\nSigned-off-by: Lev Stipakov \n---\n config-w32-vc.h.in | 12 ++++++++++++\n 1 file changed, 12 insertions(+)\n\ndiff --git a/config-w32-vc.h b/config-w32-vc.h\nindex 6d94841..db83825 100644\n--- a/config-w32-vc.h\n+++ b/config-w32-vc.h\n@@ -218,3 +218,15 @@\n \n /* Define to 1 if you have the `DSA_SIG_set0' function. */\n #define HAVE_DSA_SIG_SET0 1\n+\n+/* Define to 1 if you have the `ECDSA_SIG_set0' function. */\n+#define HAVE_ECDSA_SIG_SET0 1\n+\n+/* Define to 1 if you have the `EC_KEY_METHOD_get_sign' function. */\n+#define HAVE_EC_KEY_METHOD_GET_SIGN 1\n+\n+/* Define to 1 if you have the `EC_KEY_METHOD_set_sign' function. */\n+#define HAVE_EC_KEY_METHOD_SET_SIGN 1\n+\n+/* Define to 1 if OpenSSL has EC support. */\n+#define ENABLE_PKCS11H_OPENSSL_EC 1\n-- \n2.23.0.windows.1\n\n" }, { "path": "contrib/vcpkg-ports/pkcs11-helper/nmake-compatibility-with-vcpkg-nmake.patch", "content": "From 2d3a2c05383f653544b9c7194dd1349c6d5f3067 Mon Sep 17 00:00:00 2001\nFrom: Lev Stipakov \nDate: Tue, 11 Jan 2022 13:24:51 +0200\nSubject: [PATCH] nmake: compatibility with vcpkg nmake\n\nRemove options which contradict or already set\nby vcpkg nmake scripts.\n\nSigned-off-by: Lev Stipakov \n---\n lib/Makefile.w32-vc | 8 ++------\n 1 file changed, 2 insertions(+), 6 deletions(-)\n\ndiff --git a/lib/Makefile.w32-vc b/lib/Makefile.w32-vc\nindex 96f1f89..be68a00 100644\n--- a/lib/Makefile.w32-vc\n+++ b/lib/Makefile.w32-vc\n@@ -75,15 +75,11 @@ OPENSSL_LIBS=-LIBPATH:$(OPENSSL_LIB) user32.lib advapi32.lib $(OPENSSL_STATIC)\n CFLAGS = -I../include $(OPENSSL_CFLAGS) -DWIN32 -DWIN32_LEAN_AND_MEAN -D_MBCS -D_CRT_SECURE_NO_DEPRECATE -D_WIN32_WINNT=0x0400\n CC=cl.exe\n RC=rc.exe\n-CCPARAMS=/nologo /W3 /O2 /FD /c\n-\n-CCPARAMS=$(CCPARAMS) /MD\n-CFLAGS=$(CFLAGS) -DNDEBUG\n+CCPARAMS=/c\n \n LINK32=link.exe\n LIB32=lib.exe\n-LINK32_FLAGS=/nologo /subsystem:windows /dll /incremental:no /release\n-LIB32_FLAGS=/nologo\n+LINK32_FLAGS=/dll\n \n HEADERS = \\\n \tconfig.h \\\n-- \n2.23.0.windows.1\n\n" }, { "path": "contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-001-RFC7512.patch", "content": "upstream PR: https://github.com/OpenSC/pkcs11-helper/pull/4\n\nRebased to 1.31.0 by selva.nair@gmail.com\n\ncommit 90590b02085edc3830bdfe0942a46c4e7bf3f1ab (HEAD -> master)\nAuthor: David Woodhouse \nDate: Thu Apr 30 14:58:24 2015 +0100\n\n Serialize to RFC7512-compliant PKCS#11 URIs\n \n Signed-off-by: David Woodhouse \n\ncommit 4d5280da8df591aab701dff4493d13a835a9b29c\nAuthor: David Woodhouse \nDate: Wed Dec 10 14:00:21 2014 +0000\n\n Accept RFC7512-compliant PKCS#11 URIs as serialized token/certificate IDs\n \n The old format is still accepted for compatibility.\n \n Signed-off-by: David Woodhouse \n\ncommit 14e09211c3d50eb06825090c9765e4382cf52f19\nAuthor: David Woodhouse \nDate: Sun Dec 14 19:42:18 2014 +0000\n\n Stop _pkcs11h_util_hexToBinary() checking for trailing NUL\n \n We are going to want to use this for parsing %XX hex escapes in RFC7512\n PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only\n one existing caller at the moment, it's simple just to let the caller\n have responsibility for that check.\n \n Signed-off-by: David Woodhouse \ndiff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c\nindex ad275f8..1d077e4 100644\n--- a/lib/pkcs11h-serialization.c\n+++ b/lib/pkcs11h-serialization.c\n@@ -61,29 +61,127 @@\n \n #if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)\n \n+#define URI_SCHEME \"pkcs11:\"\n+\n+#define token_field_ofs(field) ((unsigned long)&(((struct pkcs11h_token_id_s *)0)->field))\n+#define token_field_size(field) sizeof((((struct pkcs11h_token_id_s *)0)->field))\n+#define token_field(name, field) { name \"=\", sizeof(name), \\\n+\t\t\t\t token_field_ofs(field), token_field_size(field) }\n+\n+static struct {\n+\tconst char const *name;\n+\tsize_t namelen;\n+\tunsigned long field_ofs;\n+\tsize_t field_size;\n+} __token_fields[] = {\n+\ttoken_field (\"model\", model),\n+\ttoken_field (\"token\", label),\n+\ttoken_field (\"manufacturer\", manufacturerID ),\n+\ttoken_field (\"serial\", serialNumber ),\n+\t{ NULL },\n+};\n+\n+#define P11_URL_VERBATIM \"abcdefghijklmnopqrstuvwxyz\" \\\n+ \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" \\\n+ \"0123456789_-.\"\n+\n+static\n+int\n+__token_attr_escape(char *uri, char *attr, size_t attrlen)\n+{\n+\tint len = 0, i;\n+\n+\tfor (i = 0; i < attrlen; i++) {\n+\t\tif ((attr[i] != '\\x0') && strchr(P11_URL_VERBATIM, attr[i])) {\n+\t\t\tif (uri) {\n+\t\t\t\t*(uri++) = attr[i];\n+\t\t\t}\n+\t\t\tlen++;\n+\t\t} else {\n+\t\t\tif (uri) {\n+\t\t\t\tsprintf(uri, \"%%%02x\", (unsigned char)attr[i]);\n+\t\t\t\turi += 3;\n+\t\t\t}\n+\t\t\tlen += 3;\n+\t\t}\n+\t}\n+\treturn len;\n+}\n+\n+static\n+CK_RV\n+__generate_pkcs11_uri (\n+\tOUT char * const sz,\n+\tIN OUT size_t *max,\n+\tIN const pkcs11h_certificate_id_t certificate_id,\n+\tIN const pkcs11h_token_id_t token_id\n+) {\n+\tsize_t _max;\n+\tchar *p = sz;\n+\tint i;\n+\n+\t_PKCS11H_ASSERT (max!=NULL);\n+\t_PKCS11H_ASSERT (token_id!=NULL);\n+\n+\t_max = strlen(URI_SCHEME);\n+\tfor (i = 0; __token_fields[i].name; i++) {\n+\t\tchar *field = ((char *)token_id) + __token_fields[i].field_ofs;\n+\n+\t\t_max += __token_fields[i].namelen;\n+\t\t_max += __token_attr_escape (NULL, field, strlen(field));\n+\t\t_max++; /* For a semicolon or trailing NUL */\n+\t}\n+\tif (certificate_id) {\n+\t\t_max += strlen (\";id=\");\n+\t\t_max += __token_attr_escape (NULL,\n+\t\t\t\t\t (char *)certificate_id->attrCKA_ID,\n+\t\t\t\t\t certificate_id->attrCKA_ID_size);\n+\t}\n+\n+\tif (!sz) {\n+\t\t*max = _max;\n+\t\treturn CKR_OK;\n+\t}\n+\n+\tif (sz && *max < _max)\n+\t\treturn CKR_ATTRIBUTE_VALUE_INVALID;\n+\n+\tp += sprintf(p, URI_SCHEME);\n+\tfor (i = 0; __token_fields[i].name; i++) {\n+\t\tchar *field = ((char *)token_id) + __token_fields[i].field_ofs;\n+\n+\t\tp += sprintf (p, \"%s\", __token_fields[i].name);\n+\t\tp += __token_attr_escape (p, field, strlen(field));\n+\t\t*(p++) = ';';\n+\t}\n+\tif (certificate_id) {\n+\t\tp += sprintf (p, \"id=\");\n+\t\tp += __token_attr_escape (p,\n+\t\t\t\t\t (char *)certificate_id->attrCKA_ID,\n+\t\t\t\t\t certificate_id->attrCKA_ID_size);\n+\t} else {\n+\t\t/* Remove the unneeded trailing semicolon */\n+\t\tp--;\n+\t}\n+\t*(p++) = 0;\n+\n+\t*max = _max;\n+\n+\treturn CKR_OK;\n+}\n+\n CK_RV\n pkcs11h_token_serializeTokenId (\n \tOUT char * const sz,\n \tIN OUT size_t *max,\n \tIN const pkcs11h_token_id_t token_id\n ) {\n-\tconst char *sources[5];\n \tCK_RV rv = CKR_FUNCTION_FAILED;\n-\tsize_t n;\n-\tint e;\n \n \t/*_PKCS11H_ASSERT (sz!=NULL); Not required*/\n \t_PKCS11H_ASSERT (max!=NULL);\n \t_PKCS11H_ASSERT (token_id!=NULL);\n \n-\t{ /* Must be after assert */\n-\t\tsources[0] = token_id->manufacturerID;\n-\t\tsources[1] = token_id->model;\n-\t\tsources[2] = token_id->serialNumber;\n-\t\tsources[3] = token_id->label;\n-\t\tsources[4] = NULL;\n-\t}\n-\n \t_PKCS11H_DEBUG (\n \t\tPKCS11H_LOG_DEBUG2,\n \t\t\"PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max=\"P_Z\", token_id=%p\",\n@@ -92,67 +190,161 @@ pkcs11h_token_serializeTokenId (\n \t\t(void *)token_id\n \t);\n \n-\tn = 0;\n-\tfor (e=0;sources[e] != NULL;e++) {\n-\t\tsize_t t;\n-\t\tif (\n-\t\t\t(rv = _pkcs11h_util_escapeString (\n-\t\t\t\tNULL,\n-\t\t\t\tsources[e],\n-\t\t\t\t&t,\n-\t\t\t\t__PKCS11H_SERIALIZE_INVALID_CHARS\n-\t\t\t)) != CKR_OK\n-\t\t) {\n-\t\t\tgoto cleanup;\n+\trv = __generate_pkcs11_uri(sz, max, NULL, token_id);\n+\n+\t_PKCS11H_DEBUG (\n+\t\tPKCS11H_LOG_DEBUG2,\n+\t\t\"PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max=\"P_Z\", sz='%s'\",\n+\t\trv,\n+\t\tpkcs11h_getMessage (rv),\n+\t\t*max,\n+\t\tsz\n+\t);\n+\n+\treturn rv;\n+}\n+\n+static\n+CK_RV\n+__parse_token_uri_attr (\n+\tconst char *uri,\n+\tsize_t urilen,\n+\tchar *tokstr,\n+\tsize_t toklen,\n+\tsize_t *parsed_len\n+) {\n+\tsize_t orig_toklen = toklen;\n+\tCK_RV rv = CKR_OK;\n+\n+\twhile (urilen && toklen > 1) {\n+\t\tif (*uri == '%') {\n+\t\t\tsize_t size = 1;\n+\n+\t\t\tif (urilen < 3) {\n+\t\t\t\trv = CKR_ATTRIBUTE_VALUE_INVALID;\n+\t\t\t\tgoto done;\n+\t\t\t}\n+\n+\t\t\trv = _pkcs11h_util_hexToBinary ((unsigned char *)tokstr,\n+\t\t\t\t\t\t\turi + 1, &size);\n+\t\t\tif (rv != CKR_OK) {\n+\t\t\t\tgoto done;\n+\t\t\t}\n+\n+\t\t\turi += 2;\n+\t\t\turilen -= 2;\n+\t\t} else {\n+\t\t\t*tokstr = *uri;\n \t\t}\n-\t\tn+=t;\n+\t\ttokstr++;\n+\t\turi++;\n+\t\ttoklen--;\n+\t\turilen--;\n+\t\ttokstr[0] = 0;\n \t}\n \n-\tif (sz != NULL) {\n-\t\tif (*max < n) {\n-\t\t\trv = CKR_ATTRIBUTE_VALUE_INVALID;\n-\t\t\tgoto cleanup;\n+\tif (urilen) {\n+\t\trv = CKR_ATTRIBUTE_VALUE_INVALID;\n+\t} else if (parsed_len) {\n+\t\t*parsed_len = orig_toklen - toklen;\n+\t}\n+\n+ done:\n+\treturn rv;\n+}\n+\n+static\n+CK_RV\n+__parse_pkcs11_uri (\n+\tOUT pkcs11h_token_id_t token_id,\n+\tOUT pkcs11h_certificate_id_t certificate_id,\n+\tIN const char * const sz\n+) {\n+\tconst char *end, *p;\n+\tCK_RV rv = CKR_OK;\n+\n+\t_PKCS11H_ASSERT (token_id!=NULL);\n+\t_PKCS11H_ASSERT (sz!=NULL);\n+\n+\tif (strncmp (sz, URI_SCHEME, strlen (URI_SCHEME)))\n+\t\treturn CKR_ATTRIBUTE_VALUE_INVALID;\n+\n+\tend = sz + strlen (URI_SCHEME) - 1;\n+\twhile (rv == CKR_OK && end[0] && end[1]) {\n+\t\tint i;\n+\n+\t\tp = end + 1;\n+\t end = strchr (p, ';');\n+\t\tif (!end)\n+\t\t\tend = p + strlen(p);\n+\n+\t\tfor (i = 0; __token_fields[i].name; i++) {\n+\t\t\t/* Parse the token=, label=, manufacturer= and serial= fields */\n+\t\t\tif (!strncmp(p, __token_fields[i].name, __token_fields[i].namelen)) {\n+\t\t\t\tchar *field = ((char *)token_id) + __token_fields[i].field_ofs;\n+\n+\t\t\t\tp += __token_fields[i].namelen;\n+\t\t\t\trv = __parse_token_uri_attr (p, end - p, field,\n+\t\t\t\t\t\t\t __token_fields[i].field_size,\n+\t\t\t\t\t\t\t NULL);\n+\t\t\t\tif (rv != CKR_OK) {\n+\t\t\t\t\tgoto cleanup;\n+\t\t\t\t}\n+\n+\t\t\t\tgoto matched;\n+\t\t\t}\n \t\t}\n+\t\tif (certificate_id && !strncmp(p, \"id=\", 3)) {\n+\t\t\tp += 3;\n+\n+\t\t\trv = _pkcs11h_mem_malloc ((void *)&certificate_id->attrCKA_ID,\n+\t\t\t\t\t\t end - p + 1);\n+\t\t\tif (rv != CKR_OK) {\n+\t\t\t\tgoto cleanup;\n+\t\t\t}\n \n-\t\tn = 0;\n-\t\tfor (e=0;sources[e] != NULL;e++) {\n-\t\t\tsize_t t = *max-n;\n-\t\t\tif (\n-\t\t\t\t(rv = _pkcs11h_util_escapeString (\n-\t\t\t\t\tsz+n,\n-\t\t\t\t\tsources[e],\n-\t\t\t\t\t&t,\n-\t\t\t\t\t__PKCS11H_SERIALIZE_INVALID_CHARS\n-\t\t\t\t)) != CKR_OK\n-\t\t\t) {\n+\t\t\trv = __parse_token_uri_attr (p, end - p,\n+\t\t\t\t\t\t (char *)certificate_id->attrCKA_ID,\n+\t\t\t\t\t\t end - p + 1,\n+\t\t\t\t\t\t &certificate_id->attrCKA_ID_size);\n+\t\t\tif (rv != CKR_OK) {\n \t\t\t\tgoto cleanup;\n \t\t\t}\n-\t\t\tn+=t;\n-\t\t\tsz[n-1] = '/';\n+\n+\t\t\tgoto matched;\n \t\t}\n-\t\tsz[n-1] = '\\x0';\n-\t}\n \n-\t*max = n;\n-\trv = CKR_OK;\n+\t\t/* We don't parse object= because the match code doesn't support\n+\t\t matching by label. */\n+\n+\t\t/* Failed to parse PKCS#11 URI element. */\n+\t\treturn CKR_ATTRIBUTE_VALUE_INVALID;\n \n+\t\tmatched:\n+\t\t ;\n+\t}\n cleanup:\n+\t/* The matching code doesn't support support partial matches; it needs\n+\t * *all* of manufacturer, model, serial and label attributes to be\n+\t * defined. So reject partial URIs early instead of letting it do the\n+\t * wrong thing. We can maybe improve this later. */\n+\tif (!token_id->model[0] || !token_id->label[0] ||\n+\t !token_id->manufacturerID[0] || !token_id->serialNumber[0]) {\n+\t\treturn CKR_ATTRIBUTE_VALUE_INVALID;\n+\t}\n \n-\t_PKCS11H_DEBUG (\n-\t\tPKCS11H_LOG_DEBUG2,\n-\t\t\"PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max=\"P_Z\", sz='%s'\",\n-\t\trv,\n-\t\tpkcs11h_getMessage (rv),\n-\t\t*max,\n-\t\tsz\n-\t);\n+\t/* For a certificate ID we need CKA_ID */\n+\tif (certificate_id && !certificate_id->attrCKA_ID_size) {\n+\t\treturn CKR_ATTRIBUTE_VALUE_INVALID;\n+\t}\n \n \treturn rv;\n }\n \n+static\n CK_RV\n-pkcs11h_token_deserializeTokenId (\n-\tOUT pkcs11h_token_id_t *p_token_id,\n+__pkcs11h_token_legacy_deserializeTokenId (\n+\tOUT pkcs11h_token_id_t token_id,\n \tIN const char * const sz\n ) {\n #define __PKCS11H_TARGETS_NUMBER 4\n@@ -161,24 +353,11 @@ pkcs11h_token_deserializeTokenId (\n \t\tsize_t s;\n \t} targets[__PKCS11H_TARGETS_NUMBER];\n \n-\tpkcs11h_token_id_t token_id = NULL;\n \tchar *p1 = NULL;\n \tchar *_sz = NULL;\n \tint e;\n \tCK_RV rv = CKR_FUNCTION_FAILED;\n \n-\t_PKCS11H_ASSERT (p_token_id!=NULL);\n-\t_PKCS11H_ASSERT (sz!=NULL);\n-\n-\t_PKCS11H_DEBUG (\n-\t\tPKCS11H_LOG_DEBUG2,\n-\t\t\"PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'\",\n-\t\t(void *)p_token_id,\n-\t\tsz\n-\t);\n-\n-\t*p_token_id = NULL;\n-\n \tif (\n \t\t(rv = _pkcs11h_mem_strdup (\n \t\t\t(void *)&_sz,\n@@ -190,10 +369,6 @@ pkcs11h_token_deserializeTokenId (\n \n \tp1 = _sz;\n \n-\tif ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {\n-\t\tgoto cleanup;\n-\t}\n-\n \ttargets[0].p = token_id->manufacturerID;\n \ttargets[0].s = sizeof (token_id->manufacturerID);\n \ttargets[1].p = token_id->model;\n@@ -252,6 +427,51 @@ pkcs11h_token_deserializeTokenId (\n \t\tp1 = p2+1;\n \t}\n \n+\trv = CKR_OK;\n+\n+cleanup:\n+\n+\tif (_sz != NULL) {\n+\t\t_pkcs11h_mem_free ((void *)&_sz);\n+\t}\n+\n+\treturn rv;\n+#undef __PKCS11H_TARGETS_NUMBER\n+}\n+\n+CK_RV\n+pkcs11h_token_deserializeTokenId (\n+\tOUT pkcs11h_token_id_t *p_token_id,\n+\tIN const char * const sz\n+) {\n+\tpkcs11h_token_id_t token_id = NULL;\n+\tCK_RV rv = CKR_FUNCTION_FAILED;\n+\n+\t_PKCS11H_ASSERT (p_token_id!=NULL);\n+\t_PKCS11H_ASSERT (sz!=NULL);\n+\n+\t_PKCS11H_DEBUG (\n+\t\tPKCS11H_LOG_DEBUG2,\n+\t\t\"PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'\",\n+\t\t(void *)p_token_id,\n+\t\tsz\n+\t);\n+\n+\t*p_token_id = NULL;\n+\n+\tif ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {\n+\t\tgoto cleanup;\n+\t}\n+\n+\tif (!strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) {\n+\t\trv = __parse_pkcs11_uri(token_id, NULL, sz);\n+\t} else {\n+\t\trv = __pkcs11h_token_legacy_deserializeTokenId(token_id, sz);\n+\t}\n+\tif (rv != CKR_OK) {\n+\t\tgoto cleanup;\n+\t}\n+\n \tstrncpy (\n \t\ttoken_id->display,\n \t\ttoken_id->label,\n@@ -264,11 +484,6 @@ pkcs11h_token_deserializeTokenId (\n \trv = CKR_OK;\n \n cleanup:\n-\n-\tif (_sz != NULL) {\n-\t\t_pkcs11h_mem_free ((void *)&_sz);\n-\t}\n-\n \tif (token_id != NULL) {\n \t\tpkcs11h_token_freeTokenId (token_id);\n \t}\n@@ -281,7 +496,6 @@ cleanup:\n \t);\n \n \treturn rv;\n-#undef __PKCS11H_TARGETS_NUMBER\n }\n \n #endif\t\t\t\t/* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */\n@@ -295,9 +509,6 @@ pkcs11h_certificate_serializeCertificateId (\n \tIN const pkcs11h_certificate_id_t certificate_id\n ) {\n \tCK_RV rv = CKR_FUNCTION_FAILED;\n-\tsize_t saved_max = 0;\n-\tsize_t n = 0;\n-\tsize_t _max = 0;\n \n \t/*_PKCS11H_ASSERT (sz!=NULL); Not required */\n \t_PKCS11H_ASSERT (max!=NULL);\n@@ -311,42 +522,7 @@ pkcs11h_certificate_serializeCertificateId (\n \t\t(void *)certificate_id\n \t);\n \n-\tif (sz != NULL) {\n-\t\tsaved_max = n = *max;\n-\t}\n-\t*max = 0;\n-\n-\tif (\n-\t\t(rv = pkcs11h_token_serializeTokenId (\n-\t\t\tsz,\n-\t\t\t&n,\n-\t\t\tcertificate_id->token_id\n-\t\t)) != CKR_OK\n-\t) {\n-\t\tgoto cleanup;\n-\t}\n-\n-\t_max = n + certificate_id->attrCKA_ID_size*2 + 1;\n-\n-\tif (sz != NULL) {\n-\t\tif (saved_max < _max) {\n-\t\t\trv = CKR_ATTRIBUTE_VALUE_INVALID;\n-\t\t\tgoto cleanup;\n-\t\t}\n-\n-\t\tsz[n-1] = '/';\n-\t\trv = _pkcs11h_util_binaryToHex (\n-\t\t\tsz+n,\n-\t\t\tsaved_max-n,\n-\t\t\tcertificate_id->attrCKA_ID,\n-\t\t\tcertificate_id->attrCKA_ID_size\n-\t\t);\n-\t}\n-\n-\t*max = _max;\n-\trv = CKR_OK;\n-\n-cleanup:\n+\trv = __generate_pkcs11_uri(sz, max, certificate_id, certificate_id->token_id);\n \n \t_PKCS11H_DEBUG (\n \t\tPKCS11H_LOG_DEBUG2,\n@@ -360,27 +536,16 @@ cleanup:\n \treturn rv;\n }\n \n+static\n CK_RV\n-pkcs11h_certificate_deserializeCertificateId (\n-\tOUT pkcs11h_certificate_id_t * const p_certificate_id,\n+__pkcs11h_certificate_legacy_deserializeCertificateId (\n+\tOUT pkcs11h_certificate_id_t certificate_id,\n \tIN const char * const sz\n ) {\n-\tpkcs11h_certificate_id_t certificate_id = NULL;\n \tCK_RV rv = CKR_FUNCTION_FAILED;\n \tchar *p = NULL;\n \tchar *_sz = NULL;\n-\n-\t_PKCS11H_ASSERT (p_certificate_id!=NULL);\n-\t_PKCS11H_ASSERT (sz!=NULL);\n-\n-\t*p_certificate_id = NULL;\n-\n-\t_PKCS11H_DEBUG (\n-\t\tPKCS11H_LOG_DEBUG2,\n-\t\t\"PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'\",\n-\t\t(void *)p_certificate_id,\n-\t\tsz\n-\t);\n+\tsize_t id_hex_len;\n \n \tif (\n \t\t(rv = _pkcs11h_mem_strdup (\n@@ -393,10 +558,6 @@ pkcs11h_certificate_deserializeCertificateId (\n \n \tp = _sz;\n \n-\tif ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {\n-\t\tgoto cleanup;\n-\t}\n-\n \tif ((p = strrchr (_sz, '/')) == NULL) {\n \t\trv = CKR_ATTRIBUTE_VALUE_INVALID;\n \t\tgoto cleanup;\n@@ -414,7 +575,12 @@ pkcs11h_certificate_deserializeCertificateId (\n \t\tgoto cleanup;\n \t}\n \n-\tcertificate_id->attrCKA_ID_size = strlen (p)/2;\n+\tid_hex_len = strlen (p);\n+\tif (id_hex_len & 1) {\n+\t\trv = CKR_ATTRIBUTE_VALUE_INVALID;\n+\t\tgoto cleanup;\n+\t}\n+\tcertificate_id->attrCKA_ID_size = id_hex_len/2;\n \n \tif (certificate_id->attrCKA_ID_size == 0) {\n \t\trv = CKR_ATTRIBUTE_VALUE_INVALID;\n@@ -434,21 +600,64 @@ pkcs11h_certificate_deserializeCertificateId (\n \t\tgoto cleanup;\n \t}\n \n+\trv = CKR_OK;\n+\n+cleanup:\n+\n+\tif (_sz != NULL) {\n+\t\t_pkcs11h_mem_free ((void *)&_sz);\n+\t}\n+\n+\treturn rv;\n+\n+}\n+\n+CK_RV\n+pkcs11h_certificate_deserializeCertificateId (\n+\tOUT pkcs11h_certificate_id_t * const p_certificate_id,\n+\tIN const char * const sz\n+) {\n+\tpkcs11h_certificate_id_t certificate_id = NULL;\n+\tCK_RV rv = CKR_FUNCTION_FAILED;\n+\n+\t_PKCS11H_ASSERT (p_certificate_id!=NULL);\n+\t_PKCS11H_ASSERT (sz!=NULL);\n+\n+\t*p_certificate_id = NULL;\n+\n+\t_PKCS11H_DEBUG (\n+\t\tPKCS11H_LOG_DEBUG2,\n+\t\t\"PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'\",\n+\t\t(void *)p_certificate_id,\n+\t\tsz\n+\t);\n+\n+\tif ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {\n+\t\tgoto cleanup;\n+\t}\n+\tif ((rv = _pkcs11h_token_newTokenId (&certificate_id->token_id)) != CKR_OK) {\n+\t\tgoto cleanup;\n+\t}\n+\n+\tif (!strncmp(sz, URI_SCHEME, strlen (URI_SCHEME))) {\n+\t\trv = __parse_pkcs11_uri (certificate_id->token_id, certificate_id, sz);\n+\t} else {\n+\t\trv = __pkcs11h_certificate_legacy_deserializeCertificateId (certificate_id, sz);\n+\t}\n+\tif (rv != CKR_OK) {\n+\t\tgoto cleanup;\n+\t}\n+\n \t*p_certificate_id = certificate_id;\n \tcertificate_id = NULL;\n \trv = CKR_OK;\n \n cleanup:\n-\n \tif (certificate_id != NULL) {\n \t\tpkcs11h_certificate_freeCertificateId (certificate_id);\n \t\tcertificate_id = NULL;\n \t}\n \n-\tif (_sz != NULL) {\n-\t\t_pkcs11h_mem_free ((void *)&_sz);\n-\t}\n-\n \t_PKCS11H_DEBUG (\n \t\tPKCS11H_LOG_DEBUG2,\n \t\t\"PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'\",\ndiff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c\nindex 1fcadfc..a304642 100644\n--- a/lib/pkcs11h-util.c\n+++ b/lib/pkcs11h-util.c\n@@ -123,10 +123,6 @@ _pkcs11h_util_hexToBinary (\n \t\t(*p_target_size)++;\n \t}\n \n-\tif (*p != '\\x0') {\n-\t\tgoto cleanup;\n-\t}\n-\n \tret = CKR_OK;\n \n cleanup:\n" }, { "path": "contrib/vcpkg-ports/pkcs11-helper/portfile.cmake", "content": "vcpkg_download_distfile(ARCHIVE\n URLS \"https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.tar.bz2\"\n FILENAME \"pkcs11-helper-${VERSION}.tar.bz2\"\n SHA512 0833efc59e9093dd398a54640d858b01a830ef7adfb40321c1e0ed0afa004500fc1259cc66bc49c5263935adeda0a3bfe658de538eefd66888685a71f731c484\n)\n\nvcpkg_extract_source_archive(\n SOURCE_PATH\n ARCHIVE ${ARCHIVE}\n PATCHES\n nmake-compatibility-with-vcpkg-nmake.patch\n config-w32-vc.h.in-indicate-OpenSSL.patch\n pkcs11-helper-001-RFC7512.patch\n)\n\nif(VCPKG_TARGET_IS_WINDOWS AND NOT VCPKG_TARGET_IS_MINGW)\n vcpkg_build_nmake(\n SOURCE_PATH ${SOURCE_PATH}\n PROJECT_SUBPATH lib\n PROJECT_NAME Makefile.w32-vc\n OPTIONS\n OPENSSL=1\n OPENSSL_HOME=${CURRENT_PACKAGES_DIR}/../openssl_${TARGET_TRIPLET}\n )\n\n file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/lib RENAME pkcs11-helper.lib)\n file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/debug/lib RENAME pkcs11-helper.lib)\n\n file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/bin)\n file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/debug/bin)\n\n set(PACKAGE_VERSION \"${VERSION}\")\n set(libdir [[${prefix}/lib]])\n set(exec_prefix [[${prefix}]])\n set(PKCS11H_FEATURES key_prompt openssl engine_crypto_cryptoapi engine_crypto_openssl debug threading token data certificate slotevent engine_crypto)\n set(LIBS -lkernel32 -luser32 -lgdi32 -lwinspool -lshell32 -lole32 -loleaut32 -luuid -lcomdlg32 -ladvapi32)\n if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL \"release\")\n set(includedir [[${prefix}/include]])\n set(outfile \"${CURRENT_PACKAGES_DIR}/lib/pkgconfig/libpkcs11-helper-1.pc\")\n configure_file(\"${SOURCE_PATH}/lib/libpkcs11-helper-1.pc.in\" \"${outfile}\" @ONLY)\n endif()\n if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL \"debug\")\n set(includedir [[${prefix}/../include]])\n set(outfile \"${CURRENT_PACKAGES_DIR}/debug/lib/pkgconfig/libpkcs11-helper-1.pc\")\n configure_file(\"${SOURCE_PATH}/lib/libpkcs11-helper-1.pc.in\" \"${outfile}\" @ONLY)\n endif()\n\n file(INSTALL ${SOURCE_PATH}/include/pkcs11-helper-1.0 DESTINATION ${CURRENT_PACKAGES_DIR}/include/)\n\nelse()\n find_program(man_to_html man2html REQUIRED)\n\n vcpkg_configure_make(\n SOURCE_PATH ${SOURCE_PATH}\n OPTIONS --disable-crypto-engine-gnutls --disable-crypto-engine-nss\n --disable-crypto-engine-polarssl --disable-crypto-engine-mbedtls\n )\n vcpkg_install_make()\n\n file(REMOVE_RECURSE \"${CURRENT_PACKAGES_DIR}/debug/share\")\nendif()\n\nvcpkg_fixup_pkgconfig()\nvcpkg_copy_pdbs()\n\nvcpkg_install_copyright(FILE_LIST \"${SOURCE_PATH}/COPYING\")\n" }, { "path": "contrib/vcpkg-ports/pkcs11-helper/vcpkg.json", "content": "{\n \"$schema\": \"https://raw.githubusercontent.com/microsoft/vcpkg/master/scripts/vcpkg.schema.json\",\n \"name\": \"pkcs11-helper\",\n \"version\": \"1.31.0\",\n \"description\": \"pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications.\",\n \"homepage\": \"https://github.com/OpenSC/pkcs11-helper\",\n \"license\": \"BSD-3-Clause OR GPL-2.0-only\",\n \"dependencies\": [\n \"openssl\"\n ]\n}\n" }, { "path": "contrib/vcpkg-triplets/arm64-windows-ovpn.cmake", "content": "set(VCPKG_TARGET_ARCHITECTURE arm64)\nset(VCPKG_CRT_LINKAGE dynamic)\nset(VCPKG_LIBRARY_LINKAGE dynamic)\n\nset(STATIC_PORTS lz4 lzo)\nif(PORT IN_LIST STATIC_PORTS)\n set(VCPKG_LIBRARY_LINKAGE static)\nendif()\n" }, { "path": "contrib/vcpkg-triplets/x64-mingw-ovpn.cmake", "content": "set(VCPKG_TARGET_ARCHITECTURE x64)\nset(VCPKG_CRT_LINKAGE dynamic)\nset(VCPKG_LIBRARY_LINKAGE static)\nset(VCPKG_ENV_PASSTHROUGH PATH)\n\nset(VCPKG_CMAKE_SYSTEM_NAME MinGW)\n\nset(VCPKG_MAKE_BUILD_TRIPLET --host=x86_64-w64-mingw32)\n" }, { "path": "contrib/vcpkg-triplets/x64-windows-ovpn.cmake", "content": "set(VCPKG_TARGET_ARCHITECTURE x64)\nset(VCPKG_CRT_LINKAGE dynamic)\nset(VCPKG_LIBRARY_LINKAGE dynamic)\n\nset(STATIC_PORTS lz4 lzo)\nif(PORT IN_LIST STATIC_PORTS)\n set(VCPKG_LIBRARY_LINKAGE static)\nendif()\n" }, { "path": "contrib/vcpkg-triplets/x86-mingw-ovpn.cmake", "content": "set(VCPKG_TARGET_ARCHITECTURE x86)\nset(VCPKG_CRT_LINKAGE dynamic)\nset(VCPKG_LIBRARY_LINKAGE static)\nset(VCPKG_ENV_PASSTHROUGH PATH)\n\nset(VCPKG_CMAKE_SYSTEM_NAME MinGW)\n\nset(VCPKG_MAKE_BUILD_TRIPLET --host=i686-w64-mingw32)\n" }, { "path": "contrib/vcpkg-triplets/x86-windows-ovpn.cmake", "content": "set(VCPKG_TARGET_ARCHITECTURE x86)\nset(VCPKG_CRT_LINKAGE dynamic)\nset(VCPKG_LIBRARY_LINKAGE dynamic)\n\nset(STATIC_PORTS lz4 lzo)\nif(PORT IN_LIST STATIC_PORTS)\n set(VCPKG_LIBRARY_LINKAGE static)\nendif()\n" }, { "path": "debug/doval", "content": "#!/bin/bash\nPROGDIR=`dirname $0`\nunset LD_LIBRARY_PATH\nvalgrind --tool=memcheck --error-limit=no --suppressions=$PROGDIR/debug/valgrind-suppress --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $PROGDIR/openvpn \"$@\"\n" }, { "path": "debug/dovalns", "content": "#!/bin/bash\nvalgrind --tool=memcheck --error-limit=no --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $*\n" }, { "path": "debug/valgrind-suppress", "content": "{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getpwnam_r\n fun:getpwnam\n fun:get_user\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n fun:__nss_next\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n fun:dlopen\n fun:plugin_list_init\n fun:init_plugins\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n fun:dlopen\n fun:plugin_list_init\n fun:init_plugins\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/libdl-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n fun:dlsym\n fun:libdl_resolve_symbol\n fun:plugin_list_init\n fun:init_plugins\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n fun:dlopen\n fun:plugin_list_init\n fun:init_plugins\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/libc-2.7.so\n obj:/lib/ld-2.7.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.7.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/libc-2.7.so\n obj:/lib/ld-2.7.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.7.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/libc-2.7.so\n obj:/lib/ld-2.7.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.7.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Addr8\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/ld-2.7.so\n obj:/lib/libc-2.7.so\n obj:/lib/ld-2.7.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.7.so\n fun:getpwnam_r\n fun:getpwnam\n fun:get_user\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:RSA_verify\n fun:EVP_VerifyFinal\n fun:ASN1_item_verify\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:X509_verify_cert\n fun:ssl_verify_cert_chain\n fun:ssl3_get_client_certificate\n fun:ssl3_accept\n fun:ssl3_read_bytes\n fun:ssl3_read\n obj:/usr/lib/libssl.so.0.9.8\n fun:BIO_read\n fun:bio_read\n fun:tls_process\n fun:tls_multi_process\n fun:check_tls_dowork\n fun:pre_select\n fun:multi_process_post\n fun:multi_process_incoming_link\n fun:multi_tcp_action\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:ssl3_ctx_ctrl\n fun:init_ssl\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:ssl3_ctx_ctrl\n fun:init_ssl\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:RSA_sign\n fun:ssl3_send_server_key_exchange\n fun:ssl3_accept\n fun:ssl3_read_bytes\n fun:ssl3_read\n obj:/usr/lib/libssl.so.0.9.8\n fun:BIO_read\n fun:bio_read\n fun:tls_process\n fun:tls_multi_process\n fun:check_tls_dowork\n fun:pre_select\n fun:multi_process_post\n fun:multi_process_incoming_link\n fun:multi_tcp_action\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n fun:BN_MONT_CTX_set\n fun:BN_mod_exp_mont\n fun:BN_BLINDING_create_param\n fun:RSA_setup_blinding\n obj:/usr/lib/libcrypto.so.0.9.8\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:RSA_sign\n fun:ssl3_send_server_key_exchange\n fun:ssl3_accept\n fun:ssl3_read_bytes\n fun:ssl3_read\n obj:/usr/lib/libssl.so.0.9.8\n fun:BIO_read\n fun:bio_read\n fun:tls_process\n fun:tls_multi_process\n fun:check_tls_dowork\n fun:pre_select\n fun:multi_process_post\n fun:multi_process_incoming_link\n fun:multi_tcp_action\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n fun:BN_nnmod\n fun:BN_mod_inverse\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:ssl3_ctx_ctrl\n fun:init_ssl\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n fun:BN_nnmod\n fun:BN_mod_inverse\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:ssl3_ctx_ctrl\n fun:init_ssl\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_mod_inverse\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:RSA_verify\n fun:EVP_VerifyFinal\n fun:ASN1_item_verify\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:X509_verify_cert\n fun:ssl_verify_cert_chain\n fun:ssl3_get_client_certificate\n fun:ssl3_accept\n fun:ssl3_read_bytes\n fun:ssl3_read\n obj:/usr/lib/libssl.so.0.9.8\n fun:BIO_read\n fun:bio_read\n fun:tls_process\n fun:tls_multi_process\n fun:check_tls_dowork\n fun:pre_select\n fun:multi_process_post\n fun:multi_process_incoming_link\n fun:multi_tcp_action\n}\n\n{\n \n Memcheck:Cond\n fun:BN_mod_inverse\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:ssl3_ctx_ctrl\n fun:init_ssl\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_mod_inverse\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:ssl3_ctx_ctrl\n fun:init_ssl\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_mod_inverse\n fun:BN_MONT_CTX_set\n fun:BN_MONT_CTX_set_locked\n obj:/usr/lib/libcrypto.so.0.9.8\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:RSA_sign\n fun:ssl3_send_server_key_exchange\n fun:ssl3_accept\n fun:ssl3_read_bytes\n fun:ssl3_read\n obj:/usr/lib/libssl.so.0.9.8\n fun:BIO_read\n fun:bio_read\n fun:tls_process\n fun:tls_multi_process\n fun:check_tls_dowork\n fun:pre_select\n fun:multi_process_post\n fun:multi_process_incoming_link\n fun:multi_tcp_action\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_mod_inverse\n fun:BN_MONT_CTX_set\n fun:BN_mod_exp_mont\n fun:BN_BLINDING_create_param\n fun:RSA_setup_blinding\n obj:/usr/lib/libcrypto.so.0.9.8\n obj:/usr/lib/libcrypto.so.0.9.8\n fun:RSA_sign\n fun:ssl3_send_server_key_exchange\n fun:ssl3_accept\n fun:ssl3_read_bytes\n fun:ssl3_read\n obj:/usr/lib/libssl.so.0.9.8\n fun:BIO_read\n fun:bio_read\n fun:tls_process\n fun:tls_multi_process\n fun:check_tls_dowork\n fun:pre_select\n fun:multi_process_post\n fun:multi_process_incoming_link\n fun:multi_tcp_action\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:*\n obj:*\n obj:*\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n fun:__nss_next\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n fun:__nss_next\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n fun:__nss_next\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:gethostbyname_r\n fun:gethostbyname\n fun:getaddr\n fun:resolve_remote\n fun:link_socket_init_phase1\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/ld-2.5.so\n fun:__libc_dlopen_mode\n fun:__nss_lookup_function\n obj:/lib/libc-2.5.so\n fun:getpwnam_r\n fun:getpwnam\n fun:get_user\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libc-2.5.so\n obj:/lib/libdl-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n fun:dlsym\n fun:libdl_resolve_symbol\n fun:plugin_list_init\n fun:init_plugins\n fun:main\n}\n\n{\n \n Memcheck:Cond\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n obj:/lib/ld-2.5.so\n obj:/lib/libdl-2.5.so\n fun:dlopen\n fun:plugin_list_init\n fun:init_plugins\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:CRYPTO_malloc\n fun:sk_new\n obj:/usr/lib/libssl.so.0.9.8\n fun:SSL_COMP_get_compression_methods\n fun:SSL_library_init\n fun:init_ssl_lib\n fun:init_static\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getpwnam_r\n fun:getpwnam\n fun:get_user\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:getdelim\n fun:getpass\n fun:get_console_input\n fun:get_user_pass\n fun:context_init_1\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:tsearch\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:tsearch\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:tsearch\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:tsearch\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n fun:tsearch\n fun:__nss_lookup_function\n obj:*\n obj:*\n fun:getpwnam_r\n fun:getpwnam\n fun:get_user\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n obj:/lib/libc-2.5.so\n fun:__nss_database_lookup\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n obj:/lib/libc-2.5.so\n fun:__nss_database_lookup\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n obj:/lib/libc-2.5.so\n fun:__nss_database_lookup\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n obj:/lib/libc-2.5.so\n fun:__nss_database_lookup\n obj:*\n obj:*\n fun:getpwnam_r\n fun:getpwnam\n fun:get_user\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n obj:/lib/libc-2.7.so\n fun:__nss_database_lookup\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_tcp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n obj:/lib/libc-2.7.so\n fun:__nss_database_lookup\n obj:*\n obj:*\n fun:getgrnam_r\n fun:getgrnam\n fun:get_group\n fun:do_init_first_time\n fun:init_instance\n fun:init_instance_handle_signals\n fun:tunnel_server_udp\n fun:main\n}\n\n{\n \n Memcheck:Leak\n fun:malloc\n obj:/lib/libc-2.7.so\n fun:__nss_database_lookup\n obj:*\n obj:*\n fun:getpwnam_r\n fun:getpwnam\n fun:get_user\n fun:management_open\n fun:open_management\n fun:main\n}\n\n{\n \n Memcheck:Cond\n fun:BN_mod_inverse\n}\n\n{\n \n Memcheck:Cond\n fun:BN_div\n}\n" }, { "path": "dev-tools/gen-release-tarballs.sh", "content": "#!/bin/sh\n# gen-release-tarballs.sh - Generates release tarballs with signatures\n#\n# Copyright (C) 2017-2026 - David Sommerseth \n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, see .\n#\nset -u\n\nif [ $# -ne 4 ]; then\n echo \"Usage: $0 \"\n echo \"\"\n echo \" remote-name -- valid remotes: `git remote | tr \\\\\\n ' '`\"\n echo \" tag-name -- An existing release tag\"\n echo \" sign-key -- PGP key used to sign all files\"\n echo \" dest-dir -- Where to put the complete set of release tarballs\"\n echo \"\"\n echo \" Example: $0 origin v2.4.2 /tmp/openvpn-release\"\n echo\n exit 1\nfi\n\narg_remote_name=\"$1\"\narg_tag_name=\"$2\"\narg_sign_key=\"$3\"\narg_dest_dir=\"$4\"\n\n#\n# Sanity checks\n#\n\n# Check that the tag exists\ngit tag | grep \"$arg_tag_name\" 1>/dev/null\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** The tag '$arg_tag_name' does not exist\"\n exit 2\nfi\n\n# Extract the git URL\ngiturl=\"`git remote get-url $arg_remote_name 2>/dev/null`\"\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** Invalid git remote name: $arg_remote_name\"\n exit 2\nfi\n\n# Check we have the needed signing key\necho \"test\" | gpg -a --clearsign -u \"$arg_sign_key\" 2>/dev/null 1>/dev/null\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** Failed when testing the PGP signing. Wrong signing key?\"\n exit 2;\nfi\n\n\n#\n# Helper functions\n#\n\nget_filename()\n{\n local wildcard=\"$1\"\n\n res=\"`find . -maxdepth 1 -type f -name \\\"$wildcard\\\" | head -n1 | cut -d/ -f2-`\"\n if [ $? -ne 0 ]; then\n echo \"-- 'find' failed.\"\n exit 5\n fi\n if [ -z \"$res\" ]; then\n echo \"-- Could not find a file with the wildcard: $wildcard\"\n exit 4\n fi\n echo \"$res\"\n}\n\ncopy_files()\n{\n local fileext=\"$1\"\n local dest=\"$2\"\n\n file=\"`get_filename openvpn-*.*.*.$fileext`\"\n if [ -z \"$file\" ]; then\n echo \"** ERROR Failed to find source file\"\n exit 5\n fi\n echo \"-- Copying $file\"\n cp \"$file\" \"$dest\"\n if [ $? -ne 0 ]; then\n echo \"** ERROR ** Failed to copy $file to $destdir\"\n exit 3;\n fi\n}\n\nsign_file()\n{\n local signkey=\"$1\"\n local srchfile=\"$2\"\n local signtype=\"$3\"\n local file=\"`get_filename $srchfile`\"\n\n echo \"-- Signing $file ...\"\n case \"$signtype\" in\n inline)\n # Have the signature in the same file as the data\n gpg -a --clearsign -u \"$signkey\" \"$file\" 2>/dev/null\n res=$?\n if [ $res -eq 0 ]; then\n rm -f \"$file\"\n fi\n ;;\n\n detached)\n # Have the signature in a separate file\n gpg -a --detach-sign -u \"$signkey\" \"$file\" 2>/dev/null\n res=$?\n ;;\n\n *)\n echo \"** ERROR ** Unknown signing type \\\"$signtype\\\".\"\n exit 4;\n esac\n\n if [ $res -ne 0 ]; then\n echo \"** ERROR ** Failed to sign the file $PWD/$file\"\n exit 4;\n fi\n}\n\n\n#\n# Preparations\n#\n\n# Create the destination directory, using a sub-dir with the tag-name\ndestdir=\"\"\ncase \"$arg_dest_dir\" in\n /*) # Absolute path\n destdir=\"$arg_dest_dir/$arg_tag_name\"\n ;;\n *) # Make absolute path from relative path\n destdir=\"$PWD/$arg_dest_dir/$arg_tag_name\"\n ;;\nesac\necho \"-- Destination directory: $destdir\"\nif [ -e \"$destdir\" ]; then\n echo \"** ERROR ** Destination directory already exists. \"\n echo \" Please check your command line carefully.\"\n exit 2\nfi\n\nmkdir -p \"$destdir\"\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** Failed to create destination directory\"\n exit 2\nfi\n\n#\n# Start the release process\n#\n\n# Clone the remote repository\nworkdir=\"`mktemp -d -p /var/tmp openvpn-build-release-XXXXXX`\"\ncd $workdir\necho \"-- Working directory: $workdir\"\necho \"-- git clone $giturl\"\ngit clone $giturl openvpn-gen-tarball 2> \"$workdir/git-clone.log\" 1>&2\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** git clone failed. See $workdir/git-clone.log for details\"\n exit 3;\nfi\ncd openvpn-gen-tarball\n\n# Check out the proper release tag\necho \"-- Checking out tag $arg_tag_name ... \"\ngit checkout -b mkrelease \"$arg_tag_name\" 2> \"$workdir/git-checkout-tag.log\" 1>&2\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** git checkout failed. See $workdir/git-checkout-tag.log for details\"\n exit 3;\nfi\n\n# Prepare the source tree\necho \"-- Running autoreconf + a simple configure ... \"\n(autoreconf -vi && ./configure) 2> \"$workdir/autotools-prep.log\" 1>&2\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** Failed running autotools. See $workdir/autotools-prep.log for details\"\n exit 3;\nfi\n\n# Generate the tar/zip files\necho \"-- Running make distcheck (generates .tar.gz) ... \"\n(make distcheck) 2> \"$workdir/make-distcheck.log\" 1>&2\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** make distcheck failed. See $workdir/make-distcheck.log for details\"\n exit 3;\nfi\ncopy_files tar.gz \"$destdir\"\n\necho \"-- Running make dist-xz (generates .tar.xz) ... \"\n(make dist-xz) 2> \"$workdir/make-dist-xz.log\" 1>&2\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** make dist-xz failed. See $workdir/make-dist-xz.log for details\"\n exit 3;\nfi\ncopy_files tar.xz \"$destdir\"\n\necho \"-- Running make dist-zip (generates .zip) ... \"\n(make dist-zip) 2> \"$workdir/make-dist-zip.log\" 1>&2\nif [ $? -ne 0 ]; then\n echo \"** ERROR ** make dist-zip failed. See $workdir/make-dist-zip.log for details\"\n exit 3;\nfi\ncopy_files zip \"$destdir\"\n\n# Generate SHA256 checksums\ncd \"$destdir\"\nsha256sum openvpn-*.tar.{gz,xz} openvpn-*.zip > \"openvpn-$arg_tag_name.sha256sum\"\n\n# Sign all the files\necho \"-- Signing files ... \"\nsign_file \"$arg_sign_key\" \"openvpn-$arg_tag_name.sha256sum\" inline\nsign_file \"$arg_sign_key\" \"openvpn-*.tar.gz\" detached\nsign_file \"$arg_sign_key\" \"openvpn-*.tar.xz\" detached\nsign_file \"$arg_sign_key\" \"openvpn-*.zip\" detached\n\n# Create a tar-bundle with everything\necho \"-- Creating final tarbundle with everything ...\"\ntar cf \"openvpn-$arg_tag_name.tar\" openvpn-*.{tar.gz,tar.xz,zip}{,.asc} openvpn-*.sha256sum.asc\n\necho \"-- Cleaning up ...\"\n# Save the log files\nmkdir -p \"$destdir/logs\"\nmv $workdir/*.log \"$destdir/logs\"\n\n# Finally, done!\nrm -rf \"$workdir\"\necho \"-- Done\"\nexit 0\n" }, { "path": "dev-tools/gerrit-send-mail.py", "content": "#!/usr/bin/env python3\n\n# Copyright (C) 2023-2026 OpenVPN Inc \n# Copyright (C) 2023-2026 Frank Lichtenheld \n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License along\n# with this program; if not, see .\n\n# Extract a patch from Gerrit and transform it in a file suitable as input\n# for git send-email.\n\nimport argparse\nimport base64\nfrom datetime import timezone\nimport json\nimport sys\nfrom urllib.parse import urlparse\n\nimport dateutil.parser\nimport requests\n\n\ndef get_details(args):\n params = {\"o\": [\"CURRENT_REVISION\", \"LABELS\", \"DETAILED_ACCOUNTS\"]}\n r = requests.get(f\"{args.url}/changes/{args.changeid}\", params=params)\n print(r.url)\n json_txt = r.text.removeprefix(\")]}'\\n\")\n json_data = json.loads(json_txt)\n assert len(json_data[\"revisions\"]) == 1 # CURRENT_REVISION works as expected\n revision = json_data[\"revisions\"].popitem()[1][\"_number\"]\n assert \"Code-Review\" in json_data[\"labels\"]\n acked_by = []\n for reviewer in json_data[\"labels\"][\"Code-Review\"][\"all\"]:\n if \"value\" in reviewer:\n assert reviewer[\"value\"] >= 0 # no NACK\n if reviewer[\"value\"] == 2:\n # fall back to user name if optional fields are not set\n reviewer_name = reviewer.get(\"display_name\", reviewer[\"name\"])\n reviewer_mail = reviewer.get(\"email\", reviewer[\"name\"])\n ack = f\"{reviewer_name} <{reviewer_mail}>\"\n print(f\"Acked-by: {ack}\")\n acked_by.append(ack)\n # construct Signed-off-by in case it is missing\n owner = json_data[\"owner\"]\n owner_name = owner.get(\"display_name\", owner[\"name\"])\n owner_mail = owner.get(\"email\", owner[\"name\"])\n sign_off = f\"{owner_name} <{owner_mail}>\"\n print(f\"Signed-off-by: {sign_off}\")\n change_id = json_data[\"change_id\"]\n # assumes that the created date in Gerrit is in UTC\n utc_stamp = (\n dateutil.parser.parse(json_data[\"created\"])\n .replace(tzinfo=timezone.utc)\n .timestamp()\n )\n # convert to milliseconds as used in message id\n created_stamp = int(utc_stamp * 1000)\n hostname = urlparse(args.url).hostname\n msg_id = f\"gerrit.{created_stamp}.{change_id}@{hostname}\"\n return {\n \"revision\": revision,\n \"project\": json_data[\"project\"],\n \"target\": json_data[\"branch\"],\n \"msg_id\": msg_id,\n \"acked_by\": acked_by,\n \"sign_off\": sign_off,\n }\n\n\ndef get_patch(details, args):\n r = requests.get(\n f\"{args.url}/changes/{args.changeid}/revisions/{details['revision']}/patch?download\"\n )\n print(r.url)\n patch_text = base64.b64decode(r.text).decode()\n return patch_text\n\n\ndef apply_patch_mods(patch_text, details, args):\n comment_start = patch_text.index(\"\\n---\\n\") + len(\"\\n---\\n\")\n signed_off_text = \"\"\n signed_off_comment = \"\"\n try:\n signed_off_start = patch_text.rindex(\"\\nSigned-off-by: \")\n signed_off_end = patch_text.index(\"\\n\", signed_off_start + 1) + 1\n except ValueError: # Signed-off missing\n signed_off_text = f\"Signed-off-by: {details['sign_off']}\\n\"\n signed_off_comment = \"\\nSigned-off-by line for the author was added as per our policy.\\n\"\n signed_off_end = patch_text.index(\"\\n---\\n\") + 1\n assert comment_start > signed_off_end\n acked_by_text = \"\"\n acked_by_names = \"\"\n gerrit_url = f\"{args.url}/c/{details['project']}/+/{args.changeid}\"\n for ack in details[\"acked_by\"]:\n acked_by_text += f\"Acked-by: {ack}\\n\"\n acked_by_names += f\"{ack}\\n\"\n patch_text_mod = (\n patch_text[:signed_off_end]\n + signed_off_text\n + acked_by_text\n + f\"Gerrit URL: {gerrit_url}\\n\"\n + patch_text[signed_off_end:comment_start]\n + f\"\"\"\nThis change was reviewed on Gerrit and approved by at least one\ndeveloper. I request to merge it to {details[\"target\"]}.\n\nGerrit URL: {gerrit_url}\nThis mail reflects revision {details[\"revision\"]} of this Change.\n{signed_off_comment}\nAcked-by according to Gerrit (reflected above):\n{acked_by_names}\n \"\"\"\n + patch_text[comment_start:]\n )\n filename = f\"gerrit-{args.changeid}-{details['revision']}.patch\"\n patch_text_final = patch_text_mod.replace(\"Subject: [PATCH]\", f\"Subject: [PATCH v{details['revision']}]\")\n with open(filename, \"w\", encoding=\"utf-8\", newline=\"\\n\") as patch_file:\n patch_file.write(patch_text_final)\n print(\"send with:\")\n print(f\"git send-email --in-reply-to {details['msg_id']} {filename}\")\n\n\ndef main():\n parser = argparse.ArgumentParser(\n prog=\"gerrit-send-mail\",\n description=\"Send patchset from Gerrit to mailing list\",\n )\n parser.add_argument(\"changeid\")\n parser.add_argument(\"-u\", \"--url\", default=\"https://gerrit.openvpn.net\")\n args = parser.parse_args()\n\n details = get_details(args)\n patch = get_patch(details, args)\n apply_patch_mods(patch, details, args)\n\n\nif __name__ == \"__main__\":\n sys.exit(main())\n" }, { "path": "dev-tools/git-pre-commit-format.sh", "content": "#!/bin/sh\n\n# Copyright (c) 2015, David Martin\n# 2022, Heiko Hund\n# 2025, Frank Lichtenheld\n# All rights reserved.\n#\n# Redistribution and use in source and binary forms, with or without\n# modification, are permitted provided that the following conditions are met:\n#\n# * Redistributions of source code must retain the above copyright notice, this\n# list of conditions and the following disclaimer.\n#\n# * Redistributions in binary form must reproduce the above copyright notice,\n# this list of conditions and the following disclaimer in the documentation\n# and/or other materials provided with the distribution.\n#\n# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\n# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\n# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\n# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\n# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\n# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\n# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n\n# git pre-commit hook that runs a stylecheck.\n# Features:\n# - abort commit when commit does not comply with the style guidelines\n# - create a patch of the proposed style changes\n# - use clang-format or uncrustify depending on presence of .clang-format\n# config file\n#\n# More info on Uncrustify: https://uncrustify.sourceforge.net/\n\n# This file was taken from a set of unofficial pre-commit hooks available\n# at https://github.com/ddddavidmartin/Pre-commit-hooks and modified to\n# fit the openvpn project's needs\n\n# exit on error\nset -e\n\n\n# If called so, install this script as pre-commit hook\nif [ \"$1\" = \"install\" ] ; then\n TARGET=\"$(git rev-parse --git-path hooks)/pre-commit\"\n\n if [ -e \"$TARGET\" ] ; then\n printf \"$TARGET file exists. Won't overwrite.\\n\"\n printf \"Aborting installation.\\n\"\n exit 1\n fi\n\n read -p \"Install as $TARGET? [y/N] \" INPUT\n [ \"$INPUT\" = \"y\" ] || exit 0\n cp \"$0\" \"$TARGET\"\n chmod +x $TARGET\n exit 0\nfi\n\n# check whether the given file matches any of the set extensions\nmatches_extension() {\n local filename=\"$(basename -- \"$1\")\"\n local extension=\".${filename##*.}\"\n local ext\n\n for ext in .c .h ; do [ \"$ext\" = \"$extension\" ] && return 0; done\n\n return 1\n}\n\n# necessary check for initial commit\nif git rev-parse --verify HEAD >/dev/null 2>&1 ; then\n against=HEAD\nelse\n # Initial commit: diff against an empty tree object\n against=4b825dc642cb6eb9a060e54bf8d69288fbee4904\nfi\n\nTOPDIR=\"$(git rev-parse --show-toplevel)\"\nif [ -e \"${TOPDIR}/.clang-format\" ]; then\n TOOL=clang-format\n TOOL_BIN=$(command -v clang-format)\n TOOL_CMD=\"$TOOL_BIN\"\n\n # Allow to use in parallel with pre-commit\n if [ $(basename \"$0\") = \"pre-commit.legacy\" ]; then\n echo \"Skipping clang-format check in favor of pre-commit\"\n exit 0\n fi\nelse\n TOOL=uncrustify\n TOOL_BIN=$(command -v uncrustify)\n UNCRUST_CONFIG=\"${TOPDIR}/dev-tools/uncrustify.conf\"\n TOOL_CMD=\"$TOOL_BIN -q -l C -c $UNCRUST_CONFIG\"\n\n # make sure the config file is correctly set\n if [ ! -f \"$UNCRUST_CONFIG\" ] ; then\n printf \"Error: uncrustify config file not found.\\n\"\n printf \"Expected to find it at $UNCRUST_CONFIG.\\n\"\n printf \"Aborting commit.\\n\"\n exit 1\n fi\nfi\n\nif [ -z \"$TOOL_BIN\" ] ; then\n printf \"Error: $TOOL executable not found.\\n\"\n printf \"Is it installed and in your \\$PATH?\\n\"\n printf \"Aborting commit.\\n\"\n exit 1\nfi\n\n# create a filename to store our generated patch\npatch=$(mktemp /tmp/ovpn-fmt-patch-XXXXXX)\ntmpout=$(mktemp /tmp/ovpn-fmt-tmp-XXXXXX)\n\n# create one patch containing all changes to the files\n# sed to remove quotes around the filename, if inserted by the system\n# (done sometimes, if the filename contains special characters, like the quote itself)\ngit diff-index --cached --diff-filter=ACMR --name-only $against -- | \\\nsed -e 's/^\"\\(.*\\)\"$/\\1/' | \\\nwhile read file\ndo\n # ignore file if we do check for file extensions and the file\n # does not match the extensions .c or .h\n if ! matches_extension \"$file\"; then\n continue;\n fi\n\n # escape special characters in the target filename:\n # phase 1 (characters escaped in the output diff):\n # - '\\': backslash needs to be escaped in the output diff\n # - '\"': quote needs to be escaped in the output diff if present inside\n # of the filename, as it used to bracket the entire filename part\n # phase 2 (characters escaped in the match replacement):\n # - '\\': backslash needs to be escaped again for sed itself\n # (i.e. double escaping after phase 1)\n # - '&': would expand to matched string\n # - '|': used as sed split char instead of '/'\n # printf %s particularly important if the filename contains the % character\n file_escaped_target=$(printf \"%s\" \"$file\" | sed -e 's/[\\\"]/\\\\&/g' -e 's/[\\&|]/\\\\&/g')\n\n # uncrustify our sourcefile, create a patch with diff and append it to our $patch\n # The sed call is necessary to transform the patch from\n # --- - timestamp\n # +++ $tmpout timestamp\n # to both lines working on the same file and having a a/ and b/ prefix.\n # Else it can not be applied with 'git apply'.\n git show \":$file\" | $TOOL_CMD > \"$tmpout\"\n git show \":$file\" | diff -u -- - \"$tmpout\" | \\\n sed -e \"1s|--- -|--- \\\"b/$file_escaped_target\\\"|\" -e \"2s|+++ $tmpout|+++ \\\"a/$file_escaped_target\\\"|\" >> \"$patch\"\ndone\n\nrm -f \"$tmpout\"\n\n# if no patch has been generated all is ok, clean up the file stub and exit\nif [ ! -s \"$patch\" ] ; then\n rm -f \"$patch\"\n exit 0\nfi\n\n# a patch has been created, notify the user and exit\nprintf \"Formatting of some code does not follow the project guidelines.\\n\"\n\nif [ $(wc -l < $patch) -gt 80 ] ; then\n printf \"The file $patch contains the necessary fixes.\\n\"\nelse\n printf \"Here's the patch that fixes the formatting:\\n\\n\"\n cat $patch\nfi\n\nprintf \"\\nYou can apply these changes with:\\n git apply $patch\\n\"\nprintf \"(from the root directory of the repository) and then commit again.\\n\"\nprintf \"\\nAborting commit.\\n\"\n\nexit 1\n" }, { "path": "dev-tools/update-copyright.sh", "content": "#!/bin/sh\n# update-copyright-sh - Simple tool to update the Copyright lines\n# in all files checked into git\n#\n# Copyright (C) 2016-2026 OpenVPN Inc \n# Copyright (C) 2016-2026 David Sommerseth \n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, see .\n#\n\n# Basic shell sanity\nset -eu\n\n# Simple argument control\nif [ $# -ne 1 ]; then\n echo \"Usage: $0 \"\n exit 1\nfi\n\n# Only update Copyright lines with these owners\n# The 'or' operator is GNU sed specific, and must be \\|\nUPDATE_COPYRIGHT_LINES=\"@openvpn\\.net\\|@sentyron\\.com\\|@sophos.com\\|@eurephia\\.org\\|@greenie\\.muc\\.de\\|@rozman.si\\|@unstable\\.cc\\|@rfc2549.org\\|@karger\\.me\\|selva.nair@\"\nCOPY_YEAR=\"$1\"\n\ncd \"$(git rev-parse --show-toplevel)\"\nfor file in $(git ls-files | grep -v vendor/);\ndo\n echo -n \"Updating $file ...\"\n # The first sed operation covers 20xx-20yy copyright lines,\n # The second sed operation changes 20xx -> 20xx-20yy\n sed -e \"/$UPDATE_COPYRIGHT_LINES/s/\\(Copyright (C) 20..-\\)\\(20..\\)[[:blank:]]\\+/\\1$COPY_YEAR /\" \\\n -e \"/$UPDATE_COPYRIGHT_LINES/s/\\(Copyright (C) \\)\\(20..\\)[[:blank:]]\\+/\\1\\2-$COPY_YEAR /\" \\\n -i $file\n echo \" Done\"\ndone\necho\necho \"** All files updated with $COPY_YEAR as the ending copyright year\"\necho\nexit 0\n" }, { "path": "distro/Makefile.am", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2002-2026 OpenVPN Inc \n# Copyright (C) 2006-2012 Alon Bar-Lev \n#\n\nMAINTAINERCLEANFILES = \\\n\t$(srcdir)/Makefile.in\n\nSUBDIRS = systemd\n\nif ENABLE_DNS_UPDOWN\nSUBDIRS += dns-scripts\nendif\n" }, { "path": "distro/dns-scripts/Makefile.am", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2002-2026 OpenVPN Inc \n#\n\nMAINTAINERCLEANFILES = \\\n\t$(srcdir)/Makefile.in\n\nEXTRA_DIST = \\\n\tmacos-dns-updown.sh \\\n\tsystemd-dns-updown.sh \\\n\topenresolv-dns-updown.sh \\\n\thaikuos_file-dns-updown.sh \\\n\tresolvconf_file-dns-updown.sh\n\nscript_SCRIPTS = \\\n\tdns-updown\n\nCLEANFILES = $(script_SCRIPTS)\n\ndns-updown: @DNS_UPDOWN_TYPE@-dns-updown.sh\n\tcp ${srcdir}/@DNS_UPDOWN_TYPE@-dns-updown.sh $@\n\tchmod +x $@\n\nall: $(script_SCRIPTS)\n" }, { "path": "distro/dns-scripts/haikuos_file-dns-updown.sh", "content": "#!/bin/sh\n#\n# Simple OpenVPN up/down script for modifying Haiku OS resolv.conf\n# (C) Copyright 2024 OpenVPN Inc \n#\n# SPDX-License-Identifier: BSD-2-Clause\n#\n# Example env from openvpn (most are not applied):\n#\n# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp\n#\n# or\n#\n# dev tun0\n# script_type dns-up\n# dns_search_domain_1 mycorp.in\n# dns_search_domain_2 eu.mycorp.com\n# dns_server_1_address_1 192.168.99.254\n# dns_server_1_address_2 fd00::99:53\n# dns_server_1_port_1 53\n# dns_server_1_port_2 53\n# dns_server_1_resolve_domain_1 mycorp.in\n# dns_server_1_resolve_domain_2 eu.mycorp.com\n# dns_server_1_dnssec true\n# dns_server_1_transport DoH\n# dns_server_1_sni dns.mycorp.in\n#\n\nset -e +u\n\nonly_standard_server_ports() {\n i=1\n while true; do\n eval addr=\\\"\\$dns_server_${n}_address_${i}\\\"\n [ -n \"$addr\" ] || return 0\n\n eval port=\\\"\\$dns_server_${n}_port_${i}\\\"\n [ -z \"$port\" -o \"$port\" = \"53\" ] || return 1\n\n i=$(expr $i + 1)\n done\n}\n\nconf=/boot/system/settings/network/resolv.conf\ntest -e \"$conf\" || exit 1\ntest -z \"${dns_vars_file}\" || . \"${dns_vars_file}\"\ncase \"${script_type}\" in\ndns-up)\n n=1\n while :; do\n eval addr=\\\"\\$dns_server_${n}_address_1\\\"\n [ -n \"$addr\" ] || {\n echo \"setting DNS failed, no compatible server profile\"\n exit 1\n }\n\n # Skip server profiles which require DNSSEC,\n # secure transport or use a custom port\n eval dnssec=\\\"\\$dns_server_${n}_dnssec\\\"\n eval transport=\\\"\\$dns_server_${n}_transport\\\"\n [ -z \"$transport\" -o \"$transport\" = \"plain\" ] \\\n && [ -z \"$dnssec\" -o \"$dnssec\" = \"no\" ] \\\n && only_standard_server_ports && break\n\n n=$(expr $n + 1)\n done\n\n eval addr1=\\\"\\$dns_server_${n}_address_1\\\"\n eval addr2=\\\"\\$dns_server_${n}_address_2\\\"\n eval addr3=\\\"\\$dns_server_${n}_address_3\\\"\n text=\"### openvpn ${dev} begin ###\\n\"\n text=\"${text}nameserver $addr1\\n\"\n test -z \"$addr2\" || text=\"${text}nameserver $addr2\\n\"\n test -z \"$addr3\" || text=\"${text}nameserver $addr3\\n\"\n\n test -z \"$dns_search_domain_1\" || {\n for i in $(seq 1 6); do\n eval domains=\\\"$domains\\$dns_search_domain_${i} \\\" || break\n done\n text=\"${text}search $domains\\n\"\n }\n text=\"${text}### openvpn ${dev} end ###\"\n text=\"${text}\\n$(cat ${conf})\"\n\n echo \"${text}\" > \"${conf}\"\n ;;\ndns-down)\n sed -i'' -e \"/### openvpn ${dev} begin ###/,/### openvpn ${dev} end ###/d\" \"$conf\"\n ;;\nesac\n" }, { "path": "distro/dns-scripts/macos-dns-updown.sh", "content": "#!/bin/bash\n#\n# dns-updown - add/remove openvpn provided DNS information\n#\n# (C) Copyright 2025 OpenVPN Inc \n#\n# SPDX-License-Identifier: BSD-2-Clause\n#\n# Example env from openvpn (most are not applied):\n#\n# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp\n#\n# or\n#\n# dev utun0\n# script_type dns-up\n# dns_search_domain_1 mycorp.in\n# dns_search_domain_2 eu.mycorp.com\n# dns_server_1_address_1 192.168.99.254\n# dns_server_1_address_2 fd00::99:53\n# dns_server_1_port_2 53\n# dns_server_1_resolve_domain_1 mycorp.in\n# dns_server_1_resolve_domain_2 eu.mycorp.com\n# dns_server_1_dnssec true\n# dns_server_1_transport DoH\n# dns_server_1_sni dns.mycorp.in\n#\n\nlockdir=/var/lock\nif [ ! -d \"${lockdir}\" ]; then\n /bin/mkdir \"${lockdir}\"\n /bin/chmod 1777 \"${lockdir}\"\nfi\n\ni=1\nlockfile=\"${lockdir}/openvpn-dns-updown.lock\"\nwhile ! /usr/bin/shlock -f $lockfile -p $$; do\n if [ $((++i)) -gt 10 ]; then\n echo \"dns-updown failed, could not acquire lock\"\n exit 1\n fi\n sleep 0.2\ndone\ntrap \"/bin/rm -f ${lockfile}\" EXIT\n\n[ -z \"${dns_vars_file}\" ] || . \"${dns_vars_file}\"\n\nitf_dns_key=\"State:/Network/Service/openvpn-${dev}/DNS\"\n\nfunction primary_dns_key {\n local uuid=$(echo \"show State:/Network/Global/IPv4\" | /usr/sbin/scutil | grep \"PrimaryService\" | cut -d: -f2 | xargs)\n echo \"Setup:/Network/Service/${uuid}/DNS\"\n}\n\nfunction dns_backup_key {\n local key=\"$(echo \"list State:/Network/Service/openvpn-.*/DnsBackup\" | /usr/sbin/scutil | cut -d= -f2 | xargs)\"\n if [[ \"${key}\" =~ no\\ key ]]; then\n echo \"State:/Network/Service/openvpn-${dev}/DnsBackup\"\n else\n echo \"${key}\"\n fi\n}\n\nfunction property_value {\n local key=\"$1\"\n local prop=\"$2\"\n\n [ -n \"${key}\" -a -n \"${prop}\" ] || return\n\n local match_prop=\"${prop} : (.*)\"\n local match_array_start=\"${prop} : \"\n local match_array_elem=\"[0-9]* : (.*)\"\n local match_array_end=\"}\"\n local in_array=false\n local values=\"\"\n\n echo \"show ${key}\" | /usr/sbin/scutil | while read line; do\n if [ \"${in_array}\" = false ] && [[ \"${line}\" =~ \"${match_array_start}\" ]]; then\n in_array=true\n elif [ \"${in_array}\" = true ] && [[ \"${line}\" =~ ${match_array_elem} ]]; then\n values+=\"${BASH_REMATCH[1]} \"\n elif [ \"${in_array}\" = true ] && [[ \"${line}\" =~ \"${match_array_end}\" ]]; then\n echo \"${values}\"\n break\n elif [[ \"${line}\" =~ ${match_prop} ]]; then\n echo \"${BASH_REMATCH[1]}\"\n break\n fi\n done\n}\n\nfunction only_standard_server_ports {\n local i=1\n while :; do\n local addr_var=dns_server_${n}_address_${i}\n [ -n \"${!addr_var}\" ] || return 0\n\n local port_var=dns_server_${n}_port_${i}\n [ -z \"${!port_var}\" -o \"${!port_var}\" = \"53\" ] || return 1\n\n i=$((i+1))\n done\n}\n\nfunction find_compat_profile {\n local n=1\n while :; do\n local addr_var=dns_server_${n}_address_1\n [ -n \"${!addr_var}\" ] || {\n echo \"setting DNS failed, no compatible server profile\"\n exit 1\n }\n\n # Skip server profiles which require DNSSEC,\n # secure transport or use a custom port\n local dnssec_var=dns_server_${n}_dnssec\n local transport_var=dns_server_${n}_transport\n [ -z \"${!transport_var}\" -o \"${!transport_var}\" = \"plain\" ] \\\n && [ -z \"${!dnssec_var}\" -o \"${!dnssec_var}\" = \"no\" ] \\\n && only_standard_server_ports && break\n\n n=$((n+1))\n done\n echo $n\n}\n\nfunction get_search_domains {\n property_value State:/Network/Global/DNS SearchDomains\n}\n\nfunction get_server_addresses {\n property_value \"$(primary_dns_key)\" ServerAddresses\n}\n\nfunction set_search_domains {\n [ -n \"$1\" ] || return\n local dns_key=$(primary_dns_key)\n local dns_backup_key=\"$(dns_backup_key)\"\n local search_domains=\"${1}$(get_search_domains)\"\n\n local cmds=\"\"\n cmds+=\"get ${dns_key}\\n\"\n cmds+=\"d.add SearchDomains * ${search_domains}\\n\"\n cmds+=\"set ${dns_key}\\n\"\n\n if ! [[ \"${dns_backup_key}\" =~ ${dev}/ ]]; then\n # Add the domains to the backup in case the default goes down\n local existing=\"$(property_value ${dns_backup_key} SearchDomains)\"\n cmds+=\"get ${dns_backup_key}\\n\"\n cmds+=\"d.add SearchDomains * ${search_domains} ${existing}\\n\"\n cmds+=\"set ${dns_backup_key}\\n\"\n fi\n\n echo -e \"${cmds}\" | /usr/sbin/scutil\n}\n\nfunction unset_search_domains {\n [ -n \"$1\" ] || return\n local dns_key=$(primary_dns_key)\n local dns_backup_key=\"$(dns_backup_key)\"\n local search_domains=\"$(get_search_domains)\"\n search_domains=$(echo $search_domains | sed -e \"s/$1//\")\n\n local cmds=\"\"\n cmds+=\"get ${dns_key}\\n\"\n cmds+=\"d.add SearchDomains * ${search_domains}\\n\"\n cmds+=\"set ${dns_key}\\n\"\n\n if ! [[ \"${dns_backup_key}\" =~ ${dev}/ ]]; then\n # Remove the domains from the backup for when the default goes down\n search_domains=\"$(property_value ${dns_backup_key} SearchDomains)\"\n search_domains=$(echo $search_domains | sed -e \"s/$1//\")\n cmds+=\"get ${dns_backup_key}\\n\"\n cmds+=\"d.add SearchDomains * ${search_domains}\\n\"\n cmds+=\"set ${dns_backup_key}\\n\"\n fi\n\n echo -e \"${cmds}\" | /usr/sbin/scutil\n}\n\nfunction addresses_string {\n local n=$1\n local i=1\n local addresses=\"\"\n while :; do\n local addr_var=dns_server_${n}_address_${i}\n local addr=\"${!addr_var}\"\n [ -n \"$addr\" ] || break\n addresses+=\"${addr} \"\n i=$((i+1))\n done\n echo \"$addresses\"\n}\n\nfunction search_domains_string {\n local n=$1\n local i=1\n local search_domains=\"\"\n while :; do\n domain_var=dns_search_domain_${i}\n [ -n \"${!domain_var}\" ] || break\n # Add as search domain, if it doesn't already exist\n [[ \"$search_domains\" =~ (^| )${!domain_var}( |$) ]] \\\n || search_domains+=\"${!domain_var} \"\n i=$((i+1))\n done\n echo \"$search_domains\"\n}\n\nfunction match_domains_string {\n local n=$1\n local i=1\n local match_domains=\"\"\n while :; do\n domain_var=dns_server_${n}_resolve_domain_${i}\n [ -n \"${!domain_var}\" ] || break\n # Add as match domain, if it doesn't already exist\n [[ \"$match_domains\" =~ (^| )${!domain_var}( |$) ]] \\\n || match_domains+=\"${!domain_var} \"\n i=$((i+1))\n done\n echo \"$match_domains\"\n}\n\nfunction set_dns {\n local n=\"$(find_compat_profile)\"\n local addresses=\"$(addresses_string $n)\"\n local search_domains=\"$(search_domains_string $n)\"\n local match_domains=\"$(match_domains_string $n)\"\n\n if [ -n \"$match_domains\" ]; then\n local cmds=\"\"\n cmds+=\"d.init\\n\"\n cmds+=\"d.add ServerAddresses * ${addresses}\\n\"\n cmds+=\"d.add SupplementalMatchDomains * ${match_domains}\\n\"\n cmds+=\"d.add SupplementalMatchDomainsNoSearch # 1\\n\"\n cmds+=\"add ${itf_dns_key}\\n\"\n echo -e \"${cmds}\" | /usr/sbin/scutil\n set_search_domains \"$search_domains\"\n else\n local dns_backup_key=\"$(dns_backup_key)\"\n [[ \"${dns_backup_key}\" =~ ${dev}/ ]] || {\n echo \"setting DNS failed, already redirecting to another tunnel\"\n exit 1\n }\n\n local cmds=\"\"\n cmds+=\"get $(primary_dns_key)\\n\"\n cmds+=\"set ${dns_backup_key}\\n\"\n cmds+=\"d.init\\n\"\n cmds+=\"d.add ServerAddresses * ${addresses}\\n\"\n cmds+=\"d.add SearchDomains * ${search_domains}\\n\"\n cmds+=\"d.add SearchOrder # 5000\\n\"\n cmds+=\"set $(primary_dns_key)\\n\"\n echo -e \"${cmds}\" | /usr/sbin/scutil\n fi\n\n /usr/bin/dscacheutil -flushcache\n}\n\nfunction unset_dns {\n local n=\"$(find_compat_profile)\"\n local match_domains=\"$(match_domains_string $n)\"\n\n if [ -n \"$match_domains\" ]; then\n local search_domains=\"$(search_domains_string $n)\"\n echo \"remove ${itf_dns_key}\" | /usr/sbin/scutil\n unset_search_domains \"$search_domains\"\n else\n # Do not unset if this tunnel did not set/backup DNS before\n local dns_backup_key=\"$(dns_backup_key)\"\n [[ \"${dns_backup_key}\" =~ ${dev}/ ]] || return\n\n local cmds=\"\"\n local servers=\"$(get_server_addresses)\"\n local addresses=\"$(addresses_string $n)\"\n # Only restore backup if the server addresses match\n if [ \"${servers}\" = \"${addresses}\" ]; then\n cmds+=\"get ${dns_backup_key}\\n\"\n cmds+=\"set $(primary_dns_key)\\n\"\n else\n echo \"not restoring global DNS configuration, server addresses have changed\"\n fi\n cmds+=\"remove ${dns_backup_key}\\n\"\n echo -e \"${cmds}\" | /usr/sbin/scutil\n fi\n\n /usr/bin/dscacheutil -flushcache\n}\n\nif [ \"$script_type\" = \"dns-up\" ]; then\n set_dns\nelse\n unset_dns\nfi\n" }, { "path": "distro/dns-scripts/openresolv-dns-updown.sh", "content": "#!/bin/sh\n#\n# Simple OpenVPN up/down script for openresolv integration\n# (C) Copyright 2016 Baptiste Daroussin\n# 2024 OpenVPN Inc \n#\n# SPDX-License-Identifier: BSD-2-Clause\n#\n# Example env from openvpn (most are not applied):\n#\n# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp\n#\n# or\n#\n# dev tun0\n# script_type dns-up\n# dns_search_domain_1 mycorp.in\n# dns_search_domain_2 eu.mycorp.com\n# dns_server_1_address_1 192.168.99.254\n# dns_server_1_address_2 fd00::99:53\n# dns_server_1_port_1 53\n# dns_server_1_port_2 53\n# dns_server_1_resolve_domain_1 mycorp.in\n# dns_server_1_resolve_domain_2 eu.mycorp.com\n# dns_server_1_dnssec true\n# dns_server_1_transport DoH\n# dns_server_1_sni dns.mycorp.in\n#\n\nset -e +u\n\nonly_standard_server_ports() {\n i=1\n while true; do\n eval addr=\\\"\\$dns_server_${n}_address_${i}\\\"\n [ -n \"$addr\" ] || return 0\n\n eval port=\\\"\\$dns_server_${n}_port_${i}\\\"\n [ -z \"$port\" -o \"$port\" = \"53\" ] || return 1\n\n i=$(expr $i + 1)\n done\n}\n\n[ -z \"${dns_vars_file}\" ] || . \"${dns_vars_file}\"\n: ${script_type:=dns-down}\ncase \"${script_type}\" in\ndns-up)\n n=1\n while :; do\n eval addr=\\\"\\$dns_server_${n}_address_1\\\"\n [ -n \"$addr\" ] || {\n echo \"setting DNS failed, no compatible server profile\"\n exit 1\n }\n\n # Skip server profiles which require DNSSEC,\n # secure transport or use a custom port\n eval dnssec=\\\"\\$dns_server_${n}_dnssec\\\"\n eval transport=\\\"\\$dns_server_${n}_transport\\\"\n [ -z \"$transport\" -o \"$transport\" = \"plain\" ] \\\n && [ -z \"$dnssec\" -o \"$dnssec\" = \"no\" ] \\\n && only_standard_server_ports && break\n\n n=$(expr $n + 1)\n done\n\n {\n i=1\n maxns=3\n while :; do\n maxns=$((maxns - 1))\n [ $maxns -gt 0 ] || break\n eval option=\\\"\\$dns_server_${n}_address_${i}\\\" || break\n [ \"${option}\" ] || break\n i=$((i + 1))\n echo \"nameserver ${option}\"\n done\n i=1\n maxdom=6\n while :; do\n maxdom=$((maxdom - 1))\n [ $maxdom -gt 0 ] || break\n eval option=\\\"\\$dns_search_domain_${i}\\\" || break\n [ \"${option}\" ] || break\n i=$((i + 1))\n echo \"search ${option}\"\n done\n } | /sbin/resolvconf -a \"${dev}\"\n ;;\ndns-down)\n /sbin/resolvconf -d \"${dev}\" -f\n ;;\nesac\n" }, { "path": "distro/dns-scripts/resolvconf_file-dns-updown.sh", "content": "#!/bin/sh\n#\n# Simple OpenVPN up/down script for modifying /etc/resolv.conf\n# (C) Copyright 2024 OpenVPN Inc \n#\n# SPDX-License-Identifier: BSD-2-Clause\n#\n# Example env from openvpn (most are not applied):\n#\n# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp\n#\n# or\n#\n# dev tun0\n# script_type dns-up\n# dns_search_domain_1 mycorp.in\n# dns_search_domain_2 eu.mycorp.com\n# dns_server_1_address_1 192.168.99.254\n# dns_server_1_address_2 fd00::99:53\n# dns_server_1_port_1 53\n# dns_server_1_port_2 53\n# dns_server_1_resolve_domain_1 mycorp.in\n# dns_server_1_resolve_domain_2 eu.mycorp.com\n# dns_server_1_dnssec true\n# dns_server_1_transport DoH\n# dns_server_1_sni dns.mycorp.in\n#\n\nset -e +u\n\nonly_standard_server_ports() {\n i=1\n while true; do\n eval addr=\\\"\\$dns_server_${n}_address_${i}\\\"\n [ -n \"$addr\" ] || return 0\n\n eval port=\\\"\\$dns_server_${n}_port_${i}\\\"\n [ -z \"$port\" -o \"$port\" = \"53\" ] || return 1\n\n i=$(expr $i + 1)\n done\n}\n\nconf=/etc/resolv.conf\ntest -e \"$conf\" || exit 1\ntest -z \"${dns_vars_file}\" || . \"${dns_vars_file}\"\ncase \"${script_type}\" in\ndns-up)\n n=1\n while :; do\n eval addr=\\\"\\$dns_server_${n}_address_1\\\"\n [ -n \"$addr\" ] || {\n echo \"setting DNS failed, no compatible server profile\"\n exit 1\n }\n\n # Skip server profiles which require DNSSEC,\n # secure transport or use a custom port\n eval dnssec=\\\"\\$dns_server_${n}_dnssec\\\"\n eval transport=\\\"\\$dns_server_${n}_transport\\\"\n [ -z \"$transport\" -o \"$transport\" = \"plain\" ] \\\n && [ -z \"$dnssec\" -o \"$dnssec\" = \"no\" ] \\\n && only_standard_server_ports && break\n\n n=$(expr $n + 1)\n done\n\n eval addr1=\\\"\\$dns_server_${n}_address_1\\\"\n eval addr2=\\\"\\$dns_server_${n}_address_2\\\"\n eval addr3=\\\"\\$dns_server_${n}_address_3\\\"\n text=\"### openvpn ${dev} begin ###\\n\"\n text=\"${text}nameserver $addr1\\n\"\n test -z \"$addr2\" || text=\"${text}nameserver $addr2\\n\"\n test -z \"$addr3\" || text=\"${text}nameserver $addr3\\n\"\n\n test -z \"$dns_search_domain_1\" || {\n for i in $(seq 1 6); do\n eval domains=\\\"$domains\\$dns_search_domain_${i} \\\" || break\n done\n text=\"${text}search $domains\\n\"\n }\n text=\"${text}### openvpn ${dev} end ###\"\n text=\"${text}\\n$(cat ${conf})\"\n\n echo \"${text}\" > \"${conf}\"\n ;;\ndns-down)\n sed -i'' -e \"/### openvpn ${dev} begin ###/,/### openvpn ${dev} end ###/d\" \"$conf\"\n ;;\nesac\n" }, { "path": "distro/dns-scripts/systemd-dns-updown.sh", "content": "#!/bin/bash\n#\n# dns-updown - add/remove openvpn provided DNS information\n#\n# Copyright (C) 2024-2026 OpenVPN Inc \n#\n# SPDX-License-Identifier: GPL-2.0\n#\n# Add/remove openvpn DNS settings from the env into/from\n# the system. Supported backends in this order:\n#\n# * systemd-resolved\n# * resolvconf\n# * /etc/resolv.conf file\n#\n# Example env from openvpn (not all are always applied):\n#\n# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp\n#\n# or\n#\n# dev tun0\n# script_type dns-up\n# dns_search_domain_1 mycorp.in\n# dns_search_domain_2 eu.mycorp.com\n# dns_server_1_address_1 192.168.99.254\n# dns_server_1_address_2 fd00::99:53\n# dns_server_1_port_1 53\n# dns_server_1_port_2 53\n# dns_server_1_resolve_domain_1 mycorp.in\n# dns_server_1_resolve_domain_2 eu.mycorp.com\n# dns_server_1_dnssec true\n# dns_server_1_transport DoH\n# dns_server_1_sni dns.mycorp.in\n#\n\n[ -z \"${dns_vars_file}\" ] || . \"${dns_vars_file}\"\n\nfunction do_resolved_servers {\n local sni=\"\"\n local transport_var=dns_server_${n}_transport\n local sni_var=dns_server_${n}_sni\n [ \"${!transport_var}\" = \"DoT\" ] && sni=\"#${!sni_var}\"\n\n local i=1\n local addrs=\"\"\n while :; do\n local addr_var=dns_server_${n}_address_${i}\n local addr=\"${!addr_var}\"\n [ -n \"$addr\" ] || break\n\n local port_var=dns_server_${n}_port_${i}\n if [ -n \"${!port_var}\" ]; then\n if [[ \"$addr\" =~ : ]]; then\n addr=\"[$addr]\"\n fi\n addrs+=\"${addr}:${!port_var}${sni} \"\n else\n addrs+=\"${addr}${sni} \"\n fi\n i=$((i+1))\n done\n\n resolvectl dns \"$dev\" $addrs\n}\n\nfunction do_resolved_domains {\n local list=\"\"\n for domain_var in ${!dns_search_domain_*}; do\n list+=\"${!domain_var} \"\n done\n local domain_var=dns_server_${n}_resolve_domain_1\n if [ -z \"${!domain_var}\" ]; then\n resolvectl default-route \"$dev\" true\n list+=\"~.\"\n else\n resolvectl default-route \"$dev\" false\n local i=1\n while :; do\n domain_var=dns_server_${n}_resolve_domain_${i}\n [ -n \"${!domain_var}\" ] || break\n # Add as split domain (~ prefix), if it doesn't already exist\n [[ \"$list\" =~ (^| )\"${!domain_var}\"( |$) ]] \\\n || list+=\"~${!domain_var} \"\n i=$((i+1))\n done\n fi\n\n resolvectl domain \"$dev\" $list\n}\n\nfunction do_resolved_dnssec {\n local dnssec_var=dns_server_${n}_dnssec\n if [ \"${!dnssec_var}\" = \"optional\" ]; then\n resolvectl dnssec \"$dev\" allow-downgrade\n elif [ \"${!dnssec_var}\" = \"yes\" ]; then\n resolvectl dnssec \"$dev\" true\n else\n resolvectl dnssec \"$dev\" false\n fi\n}\n\nfunction do_resolved_dnsovertls {\n local transport_var=dns_server_${n}_transport\n if [ \"${!transport_var}\" = \"DoT\" ]; then\n resolvectl dnsovertls \"$dev\" true\n else\n resolvectl dnsovertls \"$dev\" false\n fi\n}\n\nfunction do_resolved {\n [[ \"$(readlink /etc/resolv.conf)\" =~ systemd ]] || return 1\n\n n=1\n while :; do\n local addr_var=dns_server_${n}_address_1\n [ -n \"${!addr_var}\" ] || {\n echo \"setting DNS failed, no compatible server profile\"\n return 1\n }\n\n # Skip server profiles which require DNS-over-HTTPS\n local transport_var=dns_server_${n}_transport\n [ -n \"${!transport_var}\" -a \"${!transport_var}\" = \"DoH\" ] || break\n\n n=$((n+1))\n done\n\n if [ \"$script_type\" = \"dns-up\" ]; then\n echo \"setting DNS using resolvectl\"\n do_resolved_servers\n do_resolved_domains\n do_resolved_dnssec\n do_resolved_dnsovertls\n else\n echo \"unsetting DNS using resolvectl\"\n resolvectl revert \"$dev\"\n fi\n\n return 0\n}\n\nfunction only_standard_server_ports {\n local i=1\n while :; do\n local addr_var=dns_server_${n}_address_${i}\n [ -n \"${!addr_var}\" ] || return 0\n\n local port_var=dns_server_${n}_port_${i}\n [ -z \"${!port_var}\" -o \"${!port_var}\" = \"53\" ] || return 1\n\n i=$((i+1))\n done\n}\n\nfunction resolv_conf_compat_profile {\n local n=1\n while :; do\n local server_addr_var=dns_server_${n}_address_1\n [ -n \"${!server_addr_var}\" ] || {\n echo \"setting DNS failed, no compatible server profile\"\n exit 1\n }\n\n # Skip server profiles which require DNSSEC,\n # secure transport or use a custom port\n local dnssec_var=dns_server_${n}_dnssec\n local transport_var=dns_server_${n}_transport\n [ -z \"${!transport_var}\" -o \"${!transport_var}\" = \"plain\" ] \\\n && [ -z \"${!dnssec_var}\" -o \"${!dnssec_var}\" = \"no\" ] \\\n && only_standard_server_ports && break\n\n n=$((n+1))\n done\n return $n\n}\n\nfunction do_resolvconf {\n [ -x /sbin/resolvconf ] || return 1\n\n resolv_conf_compat_profile\n local n=$?\n\n if [ \"$script_type\" = \"dns-up\" ]; then\n echo \"setting DNS using resolvconf\"\n local domains=\"\"\n for domain_var in ${!dns_search_domain_*}; do\n domains+=\"${!domain_var} \"\n done\n {\n local i=1\n local maxns=3\n while [ \"${i}\" -le \"${maxns}\" ]; do\n local addr_var=dns_server_${n}_address_${i}\n [ -n \"${!addr_var}\" ] || break\n echo \"nameserver ${!addr_var}\"\n i=$((i+1))\n done\n [ -z \"$domains\" ] || echo \"search $domains\"\n } | /sbin/resolvconf -a \"$dev\"\n else\n echo \"unsetting DNS using resolvconf\"\n /sbin/resolvconf -d \"$dev\"\n fi\n\n return 0\n}\n\nfunction do_resolv_conf_file {\n conf=/etc/resolv.conf\n test -e \"$conf\" || exit 1\n\n resolv_conf_compat_profile\n local n=$?\n\n if [ \"$script_type\" = \"dns-up\" ]; then\n echo \"setting DNS using resolv.conf file\"\n\n local addr1_var=dns_server_${n}_address_1\n local addr2_var=dns_server_${n}_address_2\n local addr3_var=dns_server_${n}_address_3\n text=\"### openvpn ${dev} begin ###\\n\"\n text=\"${text}nameserver ${!addr1_var}\\n\"\n test -z \"${!addr2_var}\" || text=\"${text}nameserver ${!addr2_var}\\n\"\n test -z \"${!addr3_var}\" || text=\"${text}nameserver ${!addr3_var}\\n\"\n\n test -z \"$dns_search_domain_1\" || {\n for i in $(seq 1 6); do\n eval domains=\\\"$domains\\$dns_search_domain_${i} \\\" || break\n done\n text=\"${text}search $domains\\n\"\n }\n text=\"${text}### openvpn ${dev} end ###\"\n\n sed -i \"1i${text}\" \"$conf\"\n else\n echo \"unsetting DNS using resolv.conf file\"\n sed -i \"/### openvpn ${dev} begin ###/,/### openvpn ${dev} end ###/d\" \"$conf\"\n fi\n\n return 0\n}\n\ndo_resolved || do_resolvconf || do_resolv_conf_file || {\n echo \"setting DNS failed, no method succeeded\"\n exit 1\n}\n" }, { "path": "distro/systemd/Makefile.am", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2017-2026 OpenVPN Inc \n#\n\n%.service: %.service.in Makefile\n\t$(AM_V_GEN)sed \\\n\t\t-e 's|\\@OPENVPN_VERSION_MAJOR\\@|$(OPENVPN_VERSION_MAJOR)|g' \\\n\t\t-e 's|\\@OPENVPN_VERSION_MINOR\\@|$(OPENVPN_VERSION_MINOR)|g' \\\n\t\t-e 's|\\@sbindir\\@|$(sbindir)|g' \\\n\t\t$< > $@.tmp && mv $@.tmp $@\n\nEXTRA_DIST = \\\n\ttmpfiles-openvpn.conf \\\n\topenvpn-client@.service.in \\\n\topenvpn-server@.service.in\n\nif ENABLE_SYSTEMD\nsystemdunit_DATA = \\\n\topenvpn-client@.service \\\n\topenvpn-server@.service\nCLEANFILES = $(systemdunit_DATA)\ntmpfiles_DATA = \\\n\ttmpfiles-openvpn.conf\ndist_doc_DATA = \\\n\tREADME.systemd\n\ninstall-data-hook:\n\tmv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf\nendif\n\nMAINTAINERCLEANFILES = \\\n\t$(srcdir)/Makefile.in\n" }, { "path": "distro/systemd/README.systemd", "content": "OpenVPN and systemd\n===================\n\nAs of OpenVPN v2.4, upstream is shipping systemd unit files to provide a\nfine grained control of each OpenVPN configuration as well as trying to\nrestrict the capabilities the OpenVPN process have on a system.\n\n\nConfiguration profile types\n---------------------------\nThese new unit files separates between client and server profiles. The\nconfiguration files are kept in separate directories, to provide clarity\nof the profile they run under.\n\nTypically the client profile cannot bind to any ports below port 1024\nand the client configuration is always started with --nobind.\n\nThe server profile is allowed to bind to any ports. In addition it enables\na client status file, usually found in the /run/openvpn-server directory.\nThe status format is set to version 2 by default. These settings may be\noverridden by adding --status and/or --status-version in the OpenVPN\nconfiguration file.\n\nNeither of these profiles makes use of PID files, but OpenVPN reports back to\nsystemd its PID once it has initialized.\n\nFor configuration using a peer-to-peer mode (not using --mode server on one\nof the sides) it is recommended to use the client profile.\n\n\nConfiguration files\n-------------------\nThese new unit files expects client configuration files to be made available\nin /etc/openvpn/client. Similar for the server configurations, it is expected\nto be found in /etc/openvpn/server. The configuration files must have a .conf\nfile extension.\n\n\nManaging VPN tunnels\n--------------------\nUse the normal systemctl tool to start, stop VPN tunnels, as well as enable\nand disable tunnels at boot time. The syntax is:\n\n - client configurations:\n # systemctl $OPER openvpn-client@$CONFIGNAME\n\n - server configurations:\n # systemctl $OPER openvpn-server@$CONFIGNAME\n\nSimilarly, to view the OpenVPN journal log use a similar syntax:\n\n # journalctl -u openvpn-client@$CONFIGNAME\n or\n # journalctl -u openvpn-server@$CONFIGNAME\n\n* Examples\n Say your server configuration is /etc/openvpn/server/tun0.conf, you\n start this VPN service like this:\n\n # systemctl start openvpn-server@tun0\n\n A client configuration file in /etc/openvpn/client/corpvpn.conf is\n started like this:\n\n # systemctl start openvpn-client@corpvpn\n\n To view the server configuration's journal only listing entries from\n yesterday and until today:\n\n # journalctl --since yesterday -u openvpn-server@tun0\n" }, { "path": "distro/systemd/openvpn-client@.service.in", "content": "[Unit]\nDescription=OpenVPN tunnel for %i\nAfter=network-online.target\nWants=network-online.target\nDocumentation=man:openvpn(8)\nDocumentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/\nDocumentation=https://community.openvpn.net/openvpn/wiki/HOWTO\n\n[Service]\nType=notify\nPrivateTmp=true\nWorkingDirectory=/etc/openvpn/client\nExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf\nCapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE\nTasksMax=20\nDeviceAllow=/dev/null rw\nDeviceAllow=/dev/net/tun rw\nProtectSystem=true\nProtectHome=true\nKillMode=process\n\n[Install]\nWantedBy=multi-user.target\n" }, { "path": "distro/systemd/openvpn-server@.service.in", "content": "[Unit]\nDescription=OpenVPN service for %i\nAfter=network-online.target\nWants=network-online.target\nDocumentation=man:openvpn(8)\nDocumentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/\nDocumentation=https://community.openvpn.net/openvpn/wiki/HOWTO\n\n[Service]\nType=notify\nPrivateTmp=true\nWorkingDirectory=/etc/openvpn/server\nExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf\nCapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE CAP_AUDIT_WRITE\nTasksMax=20\nDeviceAllow=/dev/null rw\nDeviceAllow=/dev/net/tun rw\nProtectSystem=true\nProtectHome=true\nKillMode=process\nRestartSec=5s\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n" }, { "path": "distro/systemd/tmpfiles-openvpn.conf", "content": "d /run/openvpn-client 0710 root root -\nd /run/openvpn-server 0710 root root -\n" }, { "path": "doc/CMakeLists.txt", "content": "set(_GENERATE_HTML_DOC YES)\nset(_GENERATE_MAN_DOC YES)\nset(_MAYBE_PYTHON \"\")\nfind_program(RST2HTML NAMES rst2html rst2html.py)\nfind_program(RST2MAN NAMES rst2man rst2man.py)\n\nif (RST2HTML STREQUAL \"RST2HTML-NOTFOUND\")\n message(STATUS \"rst2html not found, not generating HTML documentation\")\n set(_GENERATE_HTML_DOC NO)\nelse ()\n # We only run this for RST2HTML and assume the result would be the same\n # for RST2MAN\n if (DEFINED CACHE{DOCUTILS_NEED_PYTHON})\n if ($CACHE{DOCUTILS_NEED_PYTHON})\n set(_MAYBE_PYTHON ${PYTHON})\n endif ()\n else ()\n execute_process(\n COMMAND ${RST2HTML} --version\n OUTPUT_VARIABLE RST2HTML_VERSION_EXE\n )\n execute_process(\n COMMAND ${PYTHON} ${RST2HTML} --version\n OUTPUT_VARIABLE RST2HTML_VERSION_PY\n )\n set(_DOCUTILS_NEED_PYTHON OFF)\n if(RST2HTML_VERSION_EXE STREQUAL \"\")\n if(RST2HTML_VERSION_PY STREQUAL \"\")\n message(STATUS \"${RST2HTML} found but not working, not generating documentation\")\n set(_GENERATE_HTML_DOC NO)\n set(_GENERATE_MAN_DOC NO)\n else ()\n message(STATUS \"${RST2HTML} needs to be executed by ${PYTHON} to work\")\n set(_MAYBE_PYTHON ${PYTHON})\n set(_DOCUTILS_NEED_PYTHON ON)\n endif ()\n endif ()\n set(DOCUTILS_NEED_PYTHON ${_DOCUTILS_NEED_PYTHON} CACHE BOOL\n \"Whether we need to call python instead of rst2*.py directly\")\n endif (DEFINED CACHE{DOCUTILS_NEED_PYTHON})\nendif ()\nif (RST2MAN STREQUAL \"RST2MAN-NOTFOUND\")\n message(STATUS \"rst2man not found, not generating man pages\")\n set(_GENERATE_MAN_DOC NO)\nendif ()\n\nset(OPENVPN_SECTIONS\n man-sections/advanced-options.rst\n man-sections/cipher-negotiation.rst\n man-sections/client-options.rst\n man-sections/connection-profiles.rst\n man-sections/encryption-options.rst\n man-sections/generic-options.rst\n man-sections/inline-files.rst\n man-sections/link-options.rst\n man-sections/log-options.rst\n man-sections/management-options.rst\n man-sections/network-config.rst\n man-sections/pkcs11-options.rst\n man-sections/plugin-options.rst\n man-sections/protocol-options.rst\n man-sections/proxy-options.rst\n man-sections/renegotiation.rst\n man-sections/signals.rst\n man-sections/script-options.rst\n man-sections/server-options.rst\n man-sections/tls-options.rst\n man-sections/unsupported-options.rst\n man-sections/virtual-routing-and-forwarding.rst\n man-sections/vpn-network-options.rst\n man-sections/windows-options.rst\n )\n\nset(OPENVPN_EXAMPLES_SECTIONS\n man-sections/example-fingerprint.rst\n man-sections/examples.rst\n )\n\nset(RST_FLAGS --strict)\n\nif (_GENERATE_HTML_DOC)\n list(APPEND ALL_DOCS openvpn.8.html openvpn-examples.5.html)\n add_custom_command(\n OUTPUT openvpn.8.html\n COMMAND ${_MAYBE_PYTHON} ${RST2HTML} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8.html\n MAIN_DEPENDENCY openvpn.8.rst\n DEPENDS ${OPENVPN_SECTIONS}\n )\n add_custom_command(\n OUTPUT openvpn-examples.5.html\n COMMAND ${_MAYBE_PYTHON} ${RST2HTML} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5.html\n MAIN_DEPENDENCY openvpn-examples.5.rst\n DEPENDS ${OPENVPN_EXAMPLES_SECTIONS}\n )\nendif ()\nif (_GENERATE_MAN_DOC)\n list(APPEND ALL_DOCS openvpn.8 openvpn-examples.5)\n add_custom_command(\n OUTPUT openvpn.8\n COMMAND ${_MAYBE_PYTHON} ${RST2MAN} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8\n MAIN_DEPENDENCY openvpn.8.rst\n DEPENDS ${OPENVPN_SECTIONS}\n )\n add_custom_command(\n OUTPUT openvpn-examples.5\n COMMAND ${_MAYBE_PYTHON} ${RST2MAN} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5\n MAIN_DEPENDENCY openvpn-examples.5.rst\n DEPENDS ${OPENVPN_EXAMPLES_SECTIONS}\n )\nendif ()\n\nadd_custom_target(documentation ALL DEPENDS ${ALL_DOCS})\n" }, { "path": "doc/Makefile.am", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2002-2026 OpenVPN Inc \n# Copyright (C) 2006-2012 Alon Bar-Lev \n#\n\nSUBDIRS = doxygen\n\n#\n# List of man and HTML pages we build when rst2man/rst2html is available\n#\n# NOTE: Remember to add source .rst files to $(dist_noinst_DATA) below\n# This could be automated with GNU Make, but we need BSD Make support\n#\nbuild_man_pages = openvpn.8 openvpn-examples.5\nbuild_html_pages = openvpn.8.html openvpn-examples.5.html\n\ndist_doc_DATA = \\\n\tmanagement-notes.txt gui-notes.txt\n\nopenvpn_sections = \\\n\tman-sections/advanced-options.rst \\\n\tman-sections/cipher-negotiation.rst \\\n\tman-sections/client-options.rst \\\n\tman-sections/connection-profiles.rst \\\n\tman-sections/encryption-options.rst \\\n\tman-sections/generic-options.rst \\\n\tman-sections/inline-files.rst \\\n\tman-sections/link-options.rst \\\n\tman-sections/log-options.rst \\\n\tman-sections/management-options.rst \\\n\tman-sections/network-config.rst \\\n\tman-sections/pkcs11-options.rst \\\n\tman-sections/plugin-options.rst \\\n\tman-sections/protocol-options.rst \\\n\tman-sections/proxy-options.rst \\\n\tman-sections/renegotiation.rst \\\n\tman-sections/signals.rst \\\n\tman-sections/script-options.rst \\\n\tman-sections/server-options.rst \\\n\tman-sections/tls-options.rst \\\n\tman-sections/unsupported-options.rst \\\n\tman-sections/virtual-routing-and-forwarding.rst \\\n\tman-sections/vpn-network-options.rst \\\n\tman-sections/windows-options.rst\n\nopenvpn_examples_sections = \\\n\tman-sections/example-fingerprint.rst \\\n\tman-sections/examples.rst\n\ndist_noinst_DATA = \\\n\tandroid.txt \\\n\tinteractive-service-notes.rst \\\n\tkeying-material-exporter.txt \\\n\topenvpn.8.rst \\\n\topenvpn-examples.5.rst \\\n\tREADME.man \\\n\tREADME.plugins \\\n\ttls-crypt-v2.txt \\\n\t$(openvpn_sections) \\\n\t$(openvpn_examples_sections) \\\n\tCMakeLists.txt\n\nEXTRA_DIST = tests\n\n# dependencies\nopenvpn.8 openvpn.8.html: $(openvpn_sections)\nopenvpn-examples.5 openvpn-examples.5.html: $(openvpn_examples_sections)\n\n###### GENERIC RULES ##########\n\nSUFFIXES = .8.rst .8 .8.html .5.rst .5 .5.html\n\nRST_FLAGS = --strict\n\nMAINTAINERCLEANFILES = \\\n\t$(srcdir)/Makefile.in\n\n.8.rst.8 .5.rst.5 :\nif HAVE_PYDOCUTILS\n\t$(RST2MAN) $(RST_FLAGS) $< > $@\nelse\n\t@echo \"Missing python-docutils - skipping man page generation ($@)\"\nendif\n\n.8.rst.8.html .5.rst.5.html :\nif HAVE_PYDOCUTILS\n\t$(RST2HTML) $(RST_FLAGS) $< > $@\nelse\n\t@echo \"Missing python-docutils - skipping html page generation ($@)\"\nendif\n\n\nif HAVE_PYDOCUTILS\ndist_noinst_DATA += $(build_man_pages)\ndist_html_DATA = $(build_html_pages)\n\n# Failsafe - do not delete these files unless we can recreate them\nCLEANFILES = $(build_man_pages) $(build_html_pages)\n\nendif\n\nif WIN32\nelse\ndist_man_MANS = $(build_man_pages)\nendif\n\ndist-hook : $(build_man_pages) $(build_html_pages)\n" }, { "path": "doc/README.man", "content": "\nman page documentation\n======================\n\nThe man page content maintained in the openvpn.8.rst file and proper man and\nthe html version of the man page are generated using python-docutils. Both\nthe man page and html file are generated during 'make dist' or 'make distcheck'\nand should be distributed inside the tarball by default.\n\nUsers compiling OpenVPN from the tarball should not need to regenerate the\nman/html files unless the source file needs to be modified.\n\nFurther information:\n\n* Python docutils project:\n https://docutils.sourceforge.io/\n\n* Quickstart on .rst\n https://docutils.sourceforge.io/docs/user/rst/quickstart.html\n\n* reStructuredText Markup Specifictaion (.rst)\n https://docutils.sourceforge.io/docs/ref/rst/restructuredtext.html\n" }, { "path": "doc/README.plugins", "content": "OpenVPN Plugins\n---------------\n\nStarting with OpenVPN 2.0-beta17, compiled plugin modules are\nsupported on any *nix OS which includes libdl or on Windows.\nOne or more modules may be loaded into OpenVPN using\nthe --plugin directive, and each plugin module is capable of\nintercepting any of the script callbacks which OpenVPN supports:\n\n(1) up\n(2) down\n(3) route-up\n(4) ipchange\n(5) tls-verify\n(6) auth-user-pass-verify\n(7) client-connect\n(8) client-disconnect\n(9) learn-address\n\nSee the openvpn-plugin.h file in the top-level directory of the\nOpenVPN source distribution for more detailed information\non the plugin interface.\n\nIncluded Plugins\n----------------\n\nauth-pam -- Authenticate using PAM and a split privilege\n execution model which functions even if\n root privileges or the execution environment\n have been altered with --user/--group/--chroot.\n Tested on Linux only.\n\ndown-root -- Enable the running of down scripts with root privileges\n even if --user/--group/--chroot have been used\n to drop root privileges or change the execution\n environment. Not applicable on Windows.\n\nexamples -- A simple example that demonstrates a portable\n plugin, i.e. one which can be built for *nix\n or Windows from the same source.\n\nBuilding Plugins\n----------------\n\ncd to the top-level directory of a plugin, and use the\n\"make\" command to build it. The examples plugin is\nbuilt using a build script, not a makefile.\n" }, { "path": "doc/android.txt", "content": "This file documents the support in OpenVPN for Android using the\nVPNService API (https://developer.android.com/reference/android/net/VpnService)\nthat has been introduced in Android 4.0 (API 14).\n\nThis support is primarily used in the \"OpenVPN for Android\" app\n(https://github.com/schwabe/ics-openvpn). For building see the developer\nREADME: https://github.com/schwabe/ics-openvpn/blob/master/doc/README.txt\n\nAndroid provides the VPNService API\n(https://developer.android.com/reference/android/net/VpnService)\nwhich allows establishing VPN connections without rooting the device.\n\nUnlike on other platforms, the tun device is openend by UI instead of\nOpenVPN itself. The VpnService API needs the following parameters:\n\n- IP and netmask of tun interface\n- Networks that should be routed to the tun interface\n- DNS Servers and DNS Domain\n- MTU\n\nAll IPs/Routes are in CIDR style. Non-CIDR routes are not supported.\nNotable is the lack of support for setting routes to other interfaces\nusually used to avoid the server connection going over the tun\ninterface. However, Android 13 adds support for exclusion routes that\nserve the same purpose. The Android VPNService API has the concept\nof protecting a socket from being routed over an interface. Calling\nprotect (fd) will internally bind the socket to the interface used for the\nexternal connection (usually WiFi or mobile data).\n\nTo use OpenVPN with the VPNService API OpenVPN must be built with\nthe TARGET_ANDROID compile option. Also the UI must use a UNIX\ndomain socket to connect to OpenVPN. When compiled as TARGET_ANDROID\nOpenVPN will use management callbacks instead of executing traditional\nifconfig/route commands use the need-ok callback mechanism which\nwill ask\n\n> NEED-OK command\n\nwhere command can be:\n\nIFCONFIG6 IPv6/netmask\nIFCONFIG local remoteOrNetmask MTU topology\n\nTo tell the UI which IPs addresses OpenVPN expects on the interface.\nTopology is one of \"net30\",\"p2p\",\"subnet\" or \"undef\".\n\nROUTE6 network/netmask\nROUTE network netmask\n\nTo tell the UI which routes should be set on the tun interface.\n\nDNSSERVER IP server address\nDNS6SERVER IPv6 server address\nDNSDOMAIN searchdomain\n\nTo set the DNS server and search domain.\n\nThe GUI will then respond with a \"needok 'command' ok' or \"needok\n'command' cancel', e.g. \"needok 'IFCONFIG' ok\".\n\nPERSIST_TUN_ACTION\n\nWhen OpenVPN wants to open an fd it will do this query via management.\nThe UI should compare the last configuration of the tun device with the current\ntun configuration and reply with either NOACTION (or always respond with\nOPEN_BEFORE_CLOSE).\n\n- NOACTION: Keep using the old fd\n- OPEN_BEFORE_CLOSE: the normal behaviour when the VPN configuration changed\n\nFor example the UI could respond with\nneedok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE\n\nTo protect a socket the OpenVPN will send a PROTECTFD to the UI.\nWhen sending the PROTECTFD command command to the UI it will send\nthe fd of the socket as ancillary message over the UNIX socket.\nThe UI will then call protect(fd) on the received socket protecting\nit from being routed over the VPN.\n\nWhen opening a tun device the OpenVPN process will first send all\nroute, ifconfig and DNS related configuration to the UI and after\nthat calls the OPENTUN command to receive a tun fd with the requested\nconfiguration. The UI will then use the collected information to\ncall the VPNService's establish() method to receive a fd which in\nturn is send to the OpenVPN process as ancillary message to the\n\"needok 'OPENTUN' ok' response.\n\nThe OpenVPN for Android UI extensively uses other features that\nare not specific to Android but are rarely used on other platform.\nFor example using SIGUSR1 and management-hold to restart, pause,\ncontinue the VPN on network changes or the external key management\n--management-external-key option and inline files.\n\nTo better support handover between networks, a the management command\n\nnetwork-change [samenetwork]\n\nis used on the Android platform. It tells OpenVPN to do the necessary\naction when the network changes. Currently this is just calling\nthe protect callback when using peer-id regardless of the samenetwork.\nWithout peer-id OpenVPN will generate USR1 when samenetwork is not set.\n" }, { "path": "doc/doxygen/Makefile.am", "content": "#\n# OpenVPN -- An application to securely tunnel IP networks\n# over a single UDP port, with support for SSL/TLS-based\n# session authentication and key exchange,\n# packet encryption, packet authentication, and\n# packet compression.\n#\n# Copyright (C) 2017-2026 Sentyron B.V. \n#\n\nMAINTAINERCLEANFILES = \\\n\t$(srcdir)/Makefile.in\n\nDISTCLEANFILES = openvpn.doxyfile\n\nDOXYGEN_EXTRA_FILES = \\\n\tdoc_compression.h \\\n\tdoc_control_processor.h \\\n\tdoc_control_tls.h \\\n\tdoc_data_control.h \\\n\tdoc_data_crypto.h \\\n\tdoc_eventloop.h \\\n\tdoc_external_multiplexer.h \\\n\tdoc_fragmentation.h \\\n\tdoc_internal_multiplexer.h \\\n\tdoc_key_generation.h \\\n\tdoc_mainpage.h \\\n\tdoc_memory_management.h \\\n\tdoc_protocol_overview.h \\\n\tdoc_reliable.h \\\n\tdoc_tunnel_state.h\n\nEXTRA_DIST = $(DOXYGEN_EXTRA_FILES)\n\n.PHONY: doxygen\ndoxygen: openvpn.doxyfile $(DOXYGEN_EXTRA_FILES)\n\tdoxygen openvpn.doxyfile\n\nclean-local:\n\t-rm -rf html latex\n" }, { "path": "doc/doxygen/doc_compression.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Data Channel Compression module documentation file.\n */\n\n/**\n * @defgroup compression Data Channel Compression module\n *\n * This module offers compression of data channel packets.\n *\n * @par State structures\n * The Data Channel Compression module stores its internal state in a \\c\n * lzo_compress_workspace structure. This state includes flags which\n * control the module's behavior and preallocated working memory. One\n * such structure is present for each VPN tunnel, and is stored in the \\c\n * context.c2.lzo_compwork of the \\c context associated with that VPN\n * tunnel.\n *\n * @par Initialization and cleanup\n * Every time a new \\c lzo_compress_workspace is needed, it must be\n * initialized using the \\c lzo_compress_init() function. Similarly,\n * every time a \\c lzo_compress_workspace is no longer needed, it must be\n * cleaned up using the \\c lzo_compress_uninit() function. These\n * functions take care of the allocation and freeing of internal working\n * memory, but not of the \\c lzo_compress_workspace structures themselves.\n *\n * @par\n * Because of the one-to-one relationship between \\c\n * lzo_compress_workspace structures and VPN tunnels, the above-mentioned\n * initialization and cleanup functions are called directly from the \\c\n * init_instance() and \\c close_instance() functions, which control the\n * initialization and cleanup of VPN tunnel instances and their associated\n * \\c context structures.\n *\n * @par Packet processing functions\n * This module receives data channel packets from the \\link data_control\n * Data Channel Control module\\endlink and processes them according to the\n * settings of the packet's VPN tunnel. The \\link data_control Data\n * Channel Control module\\endlink uses the following interface functions:\n * - For packets which will be sent to a remote OpenVPN peer: \\c\n * lzo_compress()\n * - For packets which have been received from a remote OpenVPN peer: \\c\n * lzo_decompress()\n *\n * @par Settings that control this module's activity\n * Whether or not the Data Channel Compression module is active depends on\n * the compile-time \\c ENABLE_LZO preprocessor macro and the runtime flags\n * stored in \\c lzo_compress_workspace.flags of the associated VPN tunnel.\n * The latter are initialized from \\c options.lzo, which gets its value\n * from the process's configuration sources, such as its configuration\n * file or command line %options.\n *\n * @par Adaptive compression\n * The compression module supports adaptive compression. If this feature\n * is enabled, the compression routines monitor their own performance and\n * turn compression on or off depending on whether it is leading to\n * significantly reduced payload size.\n *\n * @par Compression algorithms\n * This module uses the Lempel-Ziv-Oberhumer (LZO) compression algorithms.\n * These offer lossless compression and are designed for high-performance\n * decompression. This module uses the external \\c lzo library's\n * implementation of the algorithms.\n *\n * @par\n * For more information on the LZO library, see:\\n\n * https://www.oberhumer.com/opensource/lzo/\n */\n" }, { "path": "doc/doxygen/doc_control_processor.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Control Channel Processor module documentation file.\n */\n\n/**\n * @defgroup control_processor Control Channel Processor module\n *\n * This module controls the setup and maintenance of VPN tunnels and the\n * associated security parameters.\n *\n * @par This module's role\n * The Control Channel Processor module lies at the core of OpenVPN's\n * activities. It handles the setup of new VPN tunnels, the negotiation\n * of data channel security parameters, the managing of active VPN\n * tunnels, and finally the cleanup of expired VPN tunnels.\n *\n * @par State structures\n * A large amount of VPN tunnel state information must be stored within an\n * OpenVPN process. A wide variety of container structures are used by\n * this module for that purpose. Several of these structures are listed\n * below, and the function of the first three VPN tunnel state containers\n * is described in more detail later.\n * - VPN tunnel state containers:\n * - \\c tls_multi, security parameter state for a single VPN tunnel.\n * Contains three instances of the \\c tls_session structure.\n * - \\c tls_session, security parameter state of a single session\n * within a VPN tunnel. Contains two instances of the \\c key_state\n * structure.\n * - \\c key_state, security parameter state of one TLS and data\n * channel %key set.\n * - Data channel security parameter containers:\n * - \\c key_ctx_bi, container for two sets of OpenSSL cipher and/or\n * HMAC context (both directions). Contains two instances of the \\c\n * key_ctx structure.\n * - \\c key_ctx, container for one set of OpenSSL cipher and/or HMAC\n * context (one directions.\n * - Key material containers:\n * - \\c key2, container for two sets of cipher and/or HMAC %key\n * material (both directions). Contains two instances of the \\c key\n * structure.\n * - \\c key, container for one set of cipher and/or HMAC %key material\n * (one direction).\n * - \\c key_direction_state, ordering of %key material within the \\c\n * key2.key array.\n * - Key method 2 random material containers:\n * - \\c key_source2, container for both halves of random material used\n * for %key method 2. Contains two instances of the \\c key_source\n * structure.\n * - \\c key_source, container for one half of random material used for\n * %key method 2.\n *\n * @par The life of a \\c tls_multi object\n * A \\c tls_multi structure contains all the security parameter state\n * information related to the control and data channels of one VPN tunnel.\n * Its life cycle can be summarized as follows:\n * -# Initialization: \\c tls_multi_init() and \\c\n * tls_multi_init_finalize(), which are called (indirectly) from \\c\n * init_instance() when initializing a new \\c context structure.\n * - Initializes a \\c tls_multi structure.\n * - Allocates the three \\c tls_session objects contained by the \\c\n * tls_multi structure, and initializes as appropriate.\n * -# Management: \\c tls_multi_process() and \\c tls_pre_decrypt()\n * - If a new session is initiated by the remote peer, then \\c\n * tls_pre_decrypt() starts the new session negotiation in the\n * un-trusted \\c tls_session.\n * - If the, as yet, un-trusted \\c tls_session authenticates\n * successfully, then \\c tls_multi_process() moves it so as to be\n * the active \\c tls_session.\n * - If an error occurs during processing of a \\c key_state object,\n * then \\c tls_multi_process() cleans up and initializes the\n * associated \\c tls_session object. If the error occurred in the\n * active \\c key_state of the active \\c tls_session and the\n * lame-duck \\c key_state of that \\c tls_session has not yet\n * expired, it is preserved as fallback.\n * -# Cleanup: \\c tls_multi_free(), which is called (indirectly) from \\c\n * close_instance() when cleaning up a \\c context structure.\n * - Cleans up a \\c tls_multi structure.\n * - Cleans up the three \\c tls_session objects contained by the \\c\n * tls_multi structure.\n *\n * @par The life of a \\c tls_session object\n * A \\c tls_session structure contains the state information related to an\n * active and a lame-duck \\c key_state. Its life cycle can be summarized\n * as follows:\n * -# Initialization: \\c tls_session_init()\n * - Initializes a \\c tls_session structure.\n * - Initializes the primary \\c key_state by calling \\c\n * key_state_init().\n * -# Renegotiation: \\c key_state_soft_reset()\n * - Cleans up the old lame-duck \\c key_state by calling \\c\n * key_state_free().\n * - Moves the old primary \\c key_state to be the new lame-duck \\c\n * key_state.\n * - Initializes a new primary \\c key_state by calling \\c\n * key_state_init().\n * -# Cleanup: \\c tls_session_free()\n * - Cleans up a \\c tls_session structure.\n * - Cleans up all \\c key_state objects associated with the session by\n * calling \\c key_state_free() for each.\n *\n * @par The life of a \\c key_state object\n * A \\c key_state structure represents one control and data channel %key\n * set. It contains an OpenSSL TLS object that encapsulates the control\n * channel, and the data channel security parameters needed by the \\link\n * data_crypto Data Channel Crypto module\\endlink to perform cryptographic\n * operations on data channel packets. Its life cycle can be summarized\n * as follows:\n * -# Initialization: \\c key_state_init()\n * - Initializes a \\c key_state structure.\n * - Creates a new OpenSSL TLS object to encapsulate this new control\n * channel session.\n * - Sets \\c key_state.state to \\c S_INITIAL.\n * - Allocates several internal buffers.\n * - Initializes new reliability layer structures for this key set.\n * -# Negotiation: \\c tls_process()\n * - The OpenSSL TLS object negotiates a TLS session between itself\n * and the remote peer's TLS object.\n * - Key material is generated and exchanged through the TLS session\n * between OpenVPN peers.\n * - Both peers initialize their data channel cipher and HMAC key\n * contexts.\n * - On successful negotiation, the \\c key_state.state will progress\n * from \\c S_INITIAL to \\c S_ACTIVE and \\c S_NORMAL.\n * -# Active tunneling: \\link data_crypto Data Channel Crypto\n * module\\endlink\n * - Data channel packet to be sent to a remote OpenVPN peer:\n * - \\c tls_pre_encrypt() loads the security parameters from the \\c\n * key_state into a \\c crypto_options structure.\n * - \\c openvpn_encrypt() uses the \\c crypto_options to an encrypt\n * and HMAC sign the data channel packet.\n * - Data channel packet received from a remote OpenVPN peer:\n * - \\c tls_pre_decrypt() loads the security parameters from the \\c\n * key_state into a \\c crypto_options structure.\n * - \\c openvpn_encrypt() uses the \\c crypto_options to\n * authenticate and decrypt the data channel packet.\n * -# Cleanup: \\c key_state_free()\n * - Cleans up a \\c key_state structure together with its OpenSSL TLS\n * object, key material, internal buffers, and reliability layer\n * structures.\n *\n * @par Control functions\n * The following two functions drive the Control Channel Processor's\n * activities.\n * - \\c tls_multi_process(), iterates through the \\c tls_session objects\n * within a given \\c tls_multi of a VPN tunnel, and calls \\c\n * tls_process() for each \\c tls_session which is being set up, is\n * already active, or is busy expiring.\n * - \\c tls_process(), performs the Control Channel Processor module's\n * core handling of received control channel messages, and generates\n * appropriate messages to be sent.\n *\n * @par Functions which control data channel key generation\n * - Key method 1 key exchange functions were removed from OpenVPN 2.5\n * - Key method 2 key exchange functions:\n * - \\c key_method_2_write(), generates and processes key material to\n * be sent to the remote OpenVPN peer.\n * - \\c key_method_2_read(), processes key material received from the\n * remote OpenVPN peer.\n */\n" }, { "path": "doc/doxygen/doc_control_tls.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Control Channel TLS module documentation file.\n */\n\n/**\n * @defgroup control_tls Control Channel TLS module\n *\n * This module provides secure encapsulation of control channel messages\n * exchanged between OpenVPN peers.\n *\n * The Control Channel TLS module uses the Transport Layer Security (TLS)\n * protocol to provide an encrypted communication channel between the\n * local OpenVPN process and a remote peer. This protocol simultaneously\n * offers certificate-based authentication of the communicating parties.\n *\n * @par This module's roles\n * The Control Channel TLS module is essential for the security of any\n * OpenVPN-based system. On the one hand, it performs the security\n * operations necessary to protect control channel messages exchanged\n * between OpenVPN peers. On the other hand, before the control and data\n * channels are even setup, it controls the exchange of certificates and\n * verification of the remote's identity during negotiation of VPN\n * tunnels.\n *\n * @par\n * The former role is described below. The latter is described in the\n * documentation for the verify_callback() function.\n *\n * @par\n * In other words, this module takes care of the confidentiality and\n * integrity of data channel communications, and the authentication of\n * both the communicating parties and the control channel messages\n * exchanged.\n *\n * @par Initialization and cleanup\n * Because of the one-to-one relationship between control channel TLS\n * state and \\c key_state structures, the initialization and cleanup of an\n * instance of the Control Channel TLS module's state happens within the\n * key_state_init() and key_state_free() functions. In other words,\n * each \\c key_state object contains exactly one OpenSSL SSL-BIO object,\n * which is initialized and cleaned up together with the rest of the \\c\n * key_state object.\n *\n * @par Packet processing functions\n * This object behaves somewhat like a black box with a ciphertext and a\n * plaintext I/O port. Its interaction with OpenVPN's control channel\n * during operation takes place within the tls_process() function of\n * the \\link control_processor Control Channel Processor\\endlink. The\n * following functions are available for processing packets:\n * - If ciphertext received from the remote peer is available in the \\link\n * reliable Reliability Layer\\endlink:\n * - Insert it into the ciphertext-side of the SSL-BIO.\n * - Use function: key_state_write_ciphertext()\n * - If ciphertext can be extracted from the ciphertext-side of the\n * SSL-BIO:\n * - Pass it to the \\link reliable Reliability Layer\\endlink for sending\n * to the remote peer.\n * - Use function: key_state_read_ciphertext()\n * - If plaintext can be extracted from the plaintext-side of the SSL-BIO:\n * - Pass it on to the \\link control_processor Control Channel\n * Processor\\endlink for local processing.\n * - Use function: key_state_read_plaintext()\n * - If plaintext from the \\link control_processor Control Channel\n * Processor\\endlink is available to be sent to the remote peer:\n * - Insert it into the plaintext-side of the SSL-BIO.\n * - Use function: key_state_write_plaintext() or\n * key_state_write_plaintext_const()\n *\n * @par Transport Layer Security protocol implementation\n * This module uses the OpenSSL library's implementation of the TLS\n * protocol in the form of an OpenSSL SSL-BIO object.\n *\n * @par\n * For more information on the OpenSSL library's BIO objects, please see:\n * - OpenSSL's generic BIO objects:\n * https://docs.openssl.org/master/man7/bio/#bio\n * - OpenSSL's SSL-BIO object:\n * https://docs.openssl.org/master/man3/BIO_f_ssl/#bio_f_ssl\n */\n" }, { "path": "doc/doxygen/doc_data_control.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Data Channel Control module documentation file.\n */\n\n/**\n * @defgroup data_control Data Channel Control module\n *\n * This module controls the processing of packets as they pass through the\n * data channel.\n *\n * The Data Channel Control module controls the processing of packets as\n * they pass through the data channel. The processing includes packet\n * compression, fragmentation, and the performing of security operations\n * on the packets. This module does not do the processing itself, but\n * passes the packet to other data channel modules to perform the\n * appropriate actions.\n *\n * Packets can travel in two directions through the data channel. They\n * can be going to a remote destination which is reachable through a VPN\n * tunnel, in which case this module prepares them to be sent out through\n * a VPN tunnel. On the other hand, they can have been received through a\n * VPN tunnel from a remote OpenVPN peer, in which case this module\n * retrieves the packet in its original form as it was before entering the\n * VPN tunnel on the remote OpenVPN peer. How this module processes\n * packets traveling in the two directions is discussed in more detail\n * below.\n *\n * @par Packets to be sent to a remote OpenVPN peer\n * This module's main function for processing packets traveling in this\n * direction is \\c encrypt_sign(), which performs the following processing\n * steps:\n * - Call the \\link compression Data Channel Compression module\\endlink to\n * perform packet compression if necessary.\n * - Call the \\link fragmentation Data Channel Fragmentation\n * module\\endlink to perform packet fragmentation if necessary.\n * - Call the \\link data_crypto Data Channel Crypto module\\endlink to\n * perform the required security operations.\n *\n * @par\n * See the \\c encrypt_sign() documentation for details of these\n * interactions.\n *\n * @par\n * After the above processing is complete, the packet is ready to be sent\n * to a remote OpenVPN peer as a VPN tunnel packet. The actual sending of\n * the packet is handled by the \\link external_multiplexer External\n * Multiplexer\\endlink.\n *\n * @par Packets received from a remote OpenVPN peer\n * The function that controls how packets traveling in this direction are\n * processed is \\c process_incoming_link(). That function, however, also\n * performs some of the tasks required for the \\link external_multiplexer\n * External Multiplexer\\endlink and is therefore listed as part of that\n * module, instead of here.\n *\n * @par\n * After the \\c process_incoming_link() function has determined that a\n * received packet is a data channel packet, it performs the following\n * processing steps:\n * - Call the \\link data_crypto Data Channel Crypto module\\endlink to\n * perform the required security operations.\n * - Call the \\link fragmentation Data Channel Fragmentation\n * module\\endlink to perform packet reassembly if necessary.\n * - Call the \\link compression Data Channel Compression module\\endlink to\n * perform packet decompression if necessary.\n *\n * @par\n * See the \\c process_incoming_link() documentation for details of these\n * interactions.\n *\n * @par\n * After the above processing is complete, the packet is in its original\n * form again as it was received by the remote OpenVPN peer. It can now\n * be routed further to its final destination. If that destination is a\n * locally reachable host, then the \\link internal_multiplexer Internal\n * Multiplexer\\endlink will send it there.\n */\n" }, { "path": "doc/doxygen/doc_data_crypto.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Data Channel Crypto module documentation file.\n */\n\n/**\n * @addtogroup data_crypto Data Channel Crypto module\n *\n * The Data Channel Crypto Module performs cryptographic operations on\n * data channel packets.\n *\n * @par Security parameters\n * This module is merely the user of a VPN tunnel's security parameters.\n * It does not perform the negotiation and setup of the security\n * parameters, nor the %key generation involved. These actions are done\n * by the \\link control_processor Control Channel Processor\\endlink. This\n * module receives the appropriate security parameters from that module in\n * the form of a \\c crypto_options structure when they are necessary for\n * processing a packet.\n *\n * @par Packet processing functions\n * This module receives data channel packets from the \\link data_control\n * Data Channel Control module\\endlink and processes them according to the\n * security parameters of the packet's VPN tunnel. The \\link data_control\n * Data Channel Control module\\endlink uses the following interface\n * functions:\n * - For packets which will be sent to a remote OpenVPN peer:\n * - \\c tls_pre_encrypt()\n * - \\c openvpn_encrypt()\n * - \\c tls_post_encrypt()\n * - For packets which have been received from a remote OpenVPN peer:\n * - \\c tls_pre_decrypt() (documented as part of the \\link\n * external_multiplexer External Multiplexer\\endlink)\n * - \\c openvpn_decrypt()\n *\n * @par Settings that control this module's activity\n * How the data channel processes packets received from the \\link data_control\n * Data Channel Control module\\endlink at runtime depends on the associated\n * \\c crypto_options structure. To perform cryptographic operations, the\n * \\c crypto_options.key_ctx_bi must contain the correct cipher and HMAC\n * security parameters for the direction the packet is traveling in.\n *\n * @par Crypto algorithms\n * This module uses the crypto algorithm implementations of the external\n * crypto library (currently either OpenSSL (default), or mbed TLS).\n */\n" }, { "path": "doc/doxygen/doc_eventloop.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Main Event Loop module documentation file.\n */\n\n/**\n * @defgroup eventloop Main Event Loop module\n *\n * This main event loop module drives the packet processing of OpenVPN.\n *\n * OpenVPN is an event driven system. Its activities are driven by a main\n * event loop, which repeatedly waits for one of several predefined events\n * to occur, and then calls the appropriate module to handle the event.\n * The major types of network events that OpenVPN processes are:\n * - A packet can be read from the external network interface.\n * - The main event loop activates the \\link external_multiplexer\n * External Multiplexer\\endlink to read and process the packet.\n * - A packet can be read from the virtual tun/tap network interface.\n * - The main event loop activates the \\link internal_multiplexer\n * Internal Multiplexer\\endlink to read and process the packet.\n * - If a packet is ready to be sent out as a VPN tunnel packet: the\n * external network interface can be written to.\n * - The main event loop activates the \\link external_multiplexer\n * External Multiplexer\\endlink to send the packet.\n * - If a packet is ready to be sent to a locally reachable destination:\n * the virtual tun/tap network interface can be written to.\n * - The main event loop activates the \\link internal_multiplexer\n * Internal Multiplexer\\endlink to send the packet.\n *\n * Beside these external events, OpenVPN also processes other types of\n * internal events. These include scheduled events, such as resending of\n * non-acknowledged control channel messages.\n *\n * @par Main event loop implementations\n *\n * Depending on the mode in which OpenVPN is running, a different main\n * event loop function is called to drive the event processing. The\n * following implementations are available:\n * - Client mode using UDP or TCP: \\c tunnel_point_to_point()\n * - Server mode using UDP: \\c tunnel_server_udp()\n * - Server mode using TCP: \\c tunnel_server_tcp()\n */\n" }, { "path": "doc/doxygen/doc_external_multiplexer.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * External Multiplexer module documentation file.\n */\n\n/**\n * @addtogroup external_multiplexer External Multiplexer module\n *\n * The External Multiplexer is the link between the external network\n * interface and the other OpenVPN modules. It reads packets from the\n * external network interface, determines which remote OpenVPN peer and\n * VPN tunnel they are associated with, and whether they are data channel\n * or control channel packets. It then passes the packets on to the\n * appropriate processing module.\n *\n * This module also handles packets traveling in the reverse direction,\n * which have been generated by the local control channel or which have\n * already been processed by the \\link data_control Data Channel Control\n * module\\endlink and are destined for a remote host reachable through a\n * VPN tunnel.\n */\n" }, { "path": "doc/doxygen/doc_fragmentation.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Data Channel Fragmentation module documentation file.\n */\n\n/**\n * @defgroup fragmentation Data Channel Fragmentation module\n *\n * The Data Channel Fragmentation module offers fragmentation of data\n * channel packets.\n *\n * @par State structures\n * The Data Channel Fragmentation module stores its internal state in a \\c\n * fragment_master structure. One such structure is present for each VPN\n * tunnel, and is stored in \\c context.c2.fragment of the \\c context\n * associated with that VPN tunnel.\n *\n * @par\n * The \\c fragment_master structure contains one \\c fragment_list\n * structure \\c fragment_master.incoming. This is a list of \\c fragment\n * structures, each of which can store the parts of one fragmented packet\n * while it is being reassembled. The \\c fragment_master structure also\n * contains one \\c buffer called \\c fragment_master.outgoing, in which a\n * data channel large packet to be sent to a remote OpenVPN peer can be\n * broken up into parts to be sent one by one.\n *\n * @par Initialization and cleanup\n * Every time a new \\c fragment_master is needed, it must be allocated and\n * initialized by the \\c fragment_init() function. Similarly, every time\n * a \\c fragment_master is no longer needed, it must be cleaned up using\n * the \\c fragment_free() function. These functions take care of the\n * allocation and freeing of the \\c fragment_master structure itself and\n * all internal memory required for the use of that structure. Note that\n * this behavior is different from that displayed by the \\link compression\n * Data Channel Compression module\\endlink.\n *\n * @par\n * Because of the one-to-one relationship between \\c fragment_master\n * structures and VPN tunnels, the above-mentioned initialization and\n * cleanup functions are called directly from the \\c init_instance() and\n * \\c close_instance() functions, which control the initialization and\n * cleanup of VPN tunnel instances and their associated \\c context\n * structures.\n *\n * @par Packet processing functions\n * This module receives data channel packets from the \\link data_control\n * Data Channel Control module\\endlink and processes them according to the\n * settings of the packet's VPN tunnel. The \\link data_control Data\n * Channel Control module\\endlink uses the following interface functions:\n * - For packets which will be sent to a remote OpenVPN peer: \\c\n * fragment_outgoing() \\n This function inspects data channel packets as\n * they are being made ready to be sent as VPN tunnel packets to a\n * remote OpenVPN peer. If a packet's size is larger than its\n * destination VPN tunnel's maximum transmission unit (MTU), then this\n * module breaks that packet up into smaller parts, each of which is\n * smaller than or equal to the VPN tunnel's MTU. See \\c\n * fragment_outgoing() for details.\n * - For packets which have been received from a remote OpenVPN peer: \\c\n * fragment_incoming() \\n This function inspects data channel packets\n * that have been received from a remote OpenVPN peer through a VPN\n * tunnel. It reads the fragmentation header of the packet, and\n * depending on its value performs the appropriate action. See \\c\n * fragment_incoming() for details.\n *\n * @par Settings that control this module's activity\n * Whether the Data Channel Fragmentation module is active or not depends\n * on the compile-time \\c ENABLE_FRAGMENT preprocessor macro and the\n * runtime flag \\c options.fragment, which gets its value from the\n * process's configuration sources, such as the configuration file and\n * commandline %options.\n */\n" }, { "path": "doc/doxygen/doc_internal_multiplexer.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Internal Multiplexer module documentation file.\n */\n\n/**\n * @addtogroup internal_multiplexer Internal Multiplexer module\n *\n * The Internal Multiplexer is the link between the virtual tun/tap\n * network interface and the \\link data_control Data Channel Control\n * module\\endlink. It reads packets from the virtual network interface,\n * determines for which remote OpenVPN peer they are destined, and then\n * passes the packets on to the Data Channel Control module together with\n * information about their destination VPN tunnel instance.\n *\n * This module also handles packets traveling in the reverse direction,\n * which have already been processed by the Data Channel Control module\n * and are destined for a locally reachable host.\n */\n" }, { "path": "doc/doxygen/doc_key_generation.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Key generation documentation file.\n */\n\n/**\n * @page key_generation Data channel %key generation\n *\n * This section describes how OpenVPN peers generate and exchange %key\n * material necessary for the security operations performed on data\n * channel packets.\n *\n * The %key generation and exchange process between OpenVPN client and\n * server occurs every time data channel security parameters are\n * negotiated, for example during the initial setup of a VPN tunnel or\n * when the active security parameters expire. In source code terms, this\n * is when a new key_state structure is initialized.\n *\n * @section key_generation_method Key methods\n *\n * OpenVPN supports two different ways of generating and exchanging %key\n * material between client and server. These are known as %key method 1\n * and %key method 2. %Key method 2 is the recommended method. Both are\n * explained below.\n *\n * @subsection key_generation_method_1 Key method 1\n *\n * -# Each host generates its own random material.\n * -# Each host uses its locally generated random material as %key data\n * for encrypting and signing packets sent to the remote peer.\n * -# Each host then sends its random material to the remote peer, so that\n * the remote peer can use that %key data for authenticating and\n * decrypting received packets.\n *\n * @subsection key_generation_method_2 Key method 2\n *\n * There are two methods for generating key data when using key method 2\n * the first is OpenVPN's traditional approach that exchanges random\n * data and uses a PRF and the other is using the RFC5705 keying material\n * exporter to generate the key material. For both methods the random\n * data is exchange but only used in the traditional method.\n *\n * -# The client generates random material in the following amounts:\n * - Pre-master secret: 48 bytes\n * - Client's PRF seed for master secret: 32 bytes\n * - Client's PRF seed for %key expansion: 32 bytes\n * -# The client sends its share of random material to the server.\n * -# The server generates random material in the following amounts:\n * - Server's PRF seed for master secret: 32 bytes\n * - Server's PRF seed for %key expansion: 32 bytes\n * -# The server computes the %key expansion using its own and the\n * client's random material.\n * -# The server sends its share of random material to the client.\n * -# The client computes the %key expansion using its own and the\n * server's random material.\n *\n * %Key method 2 %key expansion is performed by the \\c\n * generate_key_expansion_openvpn_prf() function. Please refer to its source\n * code for details of the %key expansion process.\n *\n * When the client sends the IV_PROTO_TLS_KEY_EXPORT flag and the server replies\n * with `key-derivation tls-ekm` the RFC5705 key material exporter with the\n * label EXPORTER-OpenVPN-datakeys is used for the key data.\n *\n * @subsection key_generation_random Source of random material\n *\n * OpenVPN uses the either the OpenSSL library or the mbed TLS library as its\n * source of random material.\n *\n * In OpenSSL, the \\c RAND_bytes() function is called\n * to supply cryptographically strong pseudo-random data. The following links\n * contain more information on this subject:\n * - For OpenSSL's \\c RAND_bytes() function:\n * https://docs.openssl.org/master/man3/RAND_bytes/#rand_bytes\n * - For OpenSSL's pseudo-random number generating system:\n * https://docs.openssl.org/master/man7/RAND/#rand\n * - For OpenSSL's support for external crypto modules:\n * https://docs.openssl.org/master/man7/provider/#provider\n *\n * In mbed TLS, the Havege random number generator is used. For details, see\n * the mbed TLS documentation.\n *\n * @section key_generation_exchange Key exchange:\n *\n * The %key exchange process is initiated by the OpenVPN process running\n * in client mode. After the initial three-way handshake has successfully\n * completed, the client sends its share of random material to the server,\n * after which the server responds with its part. This process is\n * depicted below:\n *\n@verbatim\n Client Client Server Server\n State Action Action State\n---------- -------------------- -------------------- ----------\n\n ... waiting until three-way handshake complete ...\nS_START S_START\n key_method_?_write()\n send to server --> --> --> --> receive from client\nS_SENT_KEY key_method_?_read()\n S_GOT_KEY\n key_method_?_write()\n receive from server <-- <-- <-- <-- send to client\n key_method_?_read() S_SENT_KEY\nS_GOT_KEY\n ... waiting until control channel fully synchronized ...\nS_ACTIVE S_ACTIVE\n@endverbatim\n *\n * For more information about the client and server state values, see the\n * \\link control_processor Control Channel Processor module\\endlink.\n *\n * Depending on which %key method is used, the \\c ? in the function names\n * of the diagram above is a \\c 1 or a \\c 2. For example, if %key method\n * 2 is used, that %key exchange would be started by the client calling \\c\n * key_method_2_write(). These functions are called from the \\link\n * control_processor Control Channel Processor module's\\endlink \\c\n * tls_process() function and control the %key generation and exchange\n * process as follows:\n * - %Key method 1 has been removed in OpenVPN 2.5\n * - %Key method 2:\n * - \\c key_method_2_write(): generate random material locally, and if\n * in server mode generate %key expansion.\n * - \\c key_method_2_read(): read random material received from remote\n * peer, and if in client mode generate %key expansion.\n *\n * @subsection key_generation_encapsulation Transmission of key material\n *\n * The OpenVPN client and server communicate with each other through their\n * control channel. This means that all of the data transmitted over the\n * network, such as random material for %key generation, is encapsulated\n * in a TLS layer. For more details, see the \\link control_tls Control\n * Channel TLS module\\endlink documentation.\n */\n" }, { "path": "doc/doxygen/doc_mainpage.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Main page documentation file.\n */\n\n/**\n * @mainpage OpenVPN source code documentation\n *\n * This documentation describes the internal structure of OpenVPN. It was\n * automatically generated from specially formatted comment blocks in\n * OpenVPN's source code using Doxygen. (See\n * https://www.doxygen.nl/ for more information on Doxygen)\n *\n * The \\ref mainpage_modules \"Modules section\" below gives an introduction\n * into the high-level module concepts used throughout this documentation.\n * The \\ref mainpage_relatedpages \"Related Pages section\" below describes\n * various special subjects related to OpenVPN's implementation which are\n * discussed in the related pages section.\n *\n * @section mainpage_modules Modules\n *\n * For the purpose of describing the internal structure of OpenVPN, this\n * documentation and the underlying source code has been broken up into a\n * number of conceptually well-defined parts, known as modules. Each\n * module plays a specific role within the OpenVPN process, and in most\n * cases each module has a clear interfacing strategy for interacting with\n * other modules.\n *\n * The following modules have been defined:\n * - Driver module:\n * - The \\link eventloop Main Event Loop\\endlink: this module drives the\n * event handling of OpenVPN. It implements various types of\n * select-loop which wait until an event happens, and then delegate\n * the handling of that event to the appropriate module.\n * - Network interface modules:\n * - The \\link external_multiplexer External Multiplexer\\endlink: this\n * module sends and receives packets to and from remote OpenVPN peers\n * over the external network interface. It also takes care of\n * demultiplexing received packets to their appropriate VPN tunnel and\n * splitting control channel and data channel packets.\n * - The \\link internal_multiplexer Internal Multiplexer\\endlink: this\n * module sends and receives packets to and from locally reachable\n * posts over the virtual tun/tap network interface. It also takes\n * care of determining through which VPN tunnel a received packet must\n * be sent to reach its destination.\n * - Control channel modules:\n * - The \\link reliable Reliability Layer\\endlink: this module offers a\n * %reliable and sequential transport layer for control channel\n * messages.\n * - The \\link control_tls Control Channel TLS module\\endlink: this\n * module offers a secure encapsulation of control channel messages\n * using the TLS protocol.\n * - The \\link control_processor Control Channel Processor\\endlink: his\n * module manages the setup, maintenance, and shut down of VPN\n * tunnels.\n * - Data channel modules:\n * - The \\link data_control Data Channel Control module\\endlink: this\n * module controls the processing of data channel packets and,\n * depending on the settings of the packet's VPN tunnel, passes the\n * packet to the three modules below for handling.\n * - The \\link data_crypto Data Channel Crypto module\\endlink: this\n * module performs security operations on data channel packets.\n * - The \\link fragmentation Data Channel Fragmentation module\\endlink:\n * this module offers fragmentation of data channel packets larger\n * than the VPN tunnel's MTU.\n * - The \\link compression Data Channel Compression module\\endlink: this\n * module offers compression of data channel packets.\n *\n * @subsection mainpage_modules_example Example event: receiving a packet\n *\n * OpenVPN handles many types of events during operation. These include\n * external events, such as network traffic being received, and internal\n * events, such as a %key session timing out causing renegotiation. An\n * example event, receiving a packet over the network, is described here\n * together with which modules play what roles:\n * -# The \\link eventloop Main Event Loop\\endlink detects that a packet\n * can be read from the external or the virtual tun/tap network\n * interface.\n * -# The \\link eventloop Main Event Loop\\endlink calls the \\link\n * external_multiplexer External Multiplexer\\endlink or \\link\n * internal_multiplexer Internal Multiplexer\\endlink to read and\n * process the packet.\n * -# The multiplexer module determines the type of packet and its\n * destination, and passes the packet on to the appropriate handling\n * module:\n * - A control channel packet received by the \\link\n * external_multiplexer External Multiplexer\\endlink is passed on\n * through the \\link reliable Reliability Layer\\endlink and the \\link\n * control_tls Control Channel TLS module\\endlink to the \\link\n * control_processor Control Channel Processor\\endlink.\n * - A data channel packet received by either multiplexer module is\n * passed on to the \\link data_control Data Channel Control\n * module\\endlink.\n * -# The packet is processed by the appropriate control channel or data\n * channel modules.\n * -# If, after processing the packet, a resulting packet is generated\n * that needs to be sent to a local or remote destination, it is given\n * to the \\link external_multiplexer External Multiplexer\\endlink or\n * \\link internal_multiplexer Internal Multiplexer\\endlink for sending.\n * -# If a packet is waiting to be sent by either multiplexer module and\n * the \\link eventloop Main Event Loop\\endlink detects that data can be\n * written to the associated network interface, it calls the\n * multiplexer module to send the packet.\n *\n * @section mainpage_relatedpages Related pages\n *\n * This documentation includes a number of descriptions of various aspects\n * of OpenVPN and its implementation. These are not directly related to\n * one module, function, or data structure, and are therefore listed\n * separately under \"Related Pages\".\n *\n * @subsection mainpage_relatedpages_key_generation Data channel key generation\n *\n * The @ref key_generation \"Data channel key generation\" related page\n * describes how, during VPN tunnel setup and renegotiation, OpenVPN peers\n * generate and exchange the %key material required for the symmetric\n * encryption/decryption and HMAC signing/verifying security operations\n * performed on data channel packets.\n *\n * @subsection mainpage_relatedpages_tunnel_state VPN tunnel state\n *\n * The @ref tunnel_state \"Structure of VPN tunnel state storage\" related\n * page describes how an OpenVPN process manages the state information\n * associated with its active VPN tunnels.\n *\n * @subsection mainpage_relatedpages_network_protocol Network protocol\n *\n * The @ref network_protocol \"Network protocol\" related page describes the\n * format and content of VPN tunnel packets exchanged between OpenVPN\n * peers.\n *\n * @subsection mainpage_relatedpages_memory_management Memory management\n *\n * The @ref memory_management \"Memory management strategies\" related page\n * gives a brief introduction into OpenVPN's memory %buffer library and\n * garbage collection facilities.\n */\n" }, { "path": "doc/doxygen/doc_memory_management.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Memory management strategies documentation file.\n */\n\n/**\n * @page memory_management OpenVPN's memory management strategies\n *\n * This section describes several implementation details relating to\n * OpenVPN's memory management strategies.\n *\n * During operation, the OpenVPN process performs all kinds of operations\n * on blocks of data. Receiving packets, encrypting content, prepending\n * headers, etc. To make the programmer's job easier and to decrease the\n * likelihood of memory-related bugs, OpenVPN uses its own memory %buffer\n * library and garbage collection facilities. These are described in\n * brief here.\n *\n * @section memory_management_buffer The buffer structure\n *\n * The \\c buffer structure is a wrapper around a block of dynamically\n * allocated memory which keeps track of the block's capacity \\c\n * buffer.capacity and location in memory \\c buffer.data. This structure\n * supports efficient prepending and appending within the allocated memory\n * through the use of offset \\c buffer.offset and length \\c buffer.len\n * fields. See the \\c buffer documentation for more details on the\n * structure itself.\n *\n * OpenVPN's %buffer library, implemented in the \\c buffer.h and \\c\n * buffer.c files, contains many utility functions for working with \\c\n * buffer structures. These functions facilitate common operations, such\n * as allocating, freeing, reading and writing to \\c buffer structures,\n * and even offer several more advanced operations, such as string\n * matching and creating sub-buffers.\n *\n * Not only do these utility functions make working with \\c buffer\n * structures easy, they also perform extensive error checking. Each\n * function, where necessary, checks whether enough space is available\n * before performing its actions. This minimizes the chance of bugs\n * leading to %buffer overflows and other vulnerabilities.\n *\n * @section memory_management_frame The frame structure\n *\n * The \\c frame structure keeps track of the maximum allowed packet\n * geometries of a network connection.\n *\n * It is used, for example, to determine the size of \\c buffer structures\n * in which to store data channel packets. This is done by having each\n * data channel processing module register the maximum amount of extra\n * space it will need for header prepending and content expansion in the\n * \\c frame structure. Once these parameters are known, \\c buffer\n * structures can be allocated, based on the \\c frame parameters, so that\n * they are large enough to allow efficient prepending of headers and\n * processing of content.\n *\n * @section memory_management_garbage Garbage collection\n *\n * OpenVPN has many sizable functions which perform various actions\n * depending on their %context. This makes it difficult to know in advance\n * exactly how much memory must be allocated. The garbage collection\n * facilities are used to keep track of dynamic allocations, thereby\n * allowing easy collective freeing of the allocated memory.\n *\n * The garbage collection system is implemented by the \\c gc_arena and \\c\n * gc_entry structures. The arena represents a garbage collecting unit,\n * and contains a linked list of entries. Each entry represents one block\n * of dynamically allocated memory.\n *\n * The garbage collection system also contains various utility functions\n * for working with the garbage collection structures. These include\n * functions for initializing new arenas, allocating memory of a given\n * size and registering the allocation in an arena, and freeing all the\n * allocated memory associated with an arena.\n */\n" }, { "path": "doc/doxygen/doc_protocol_overview.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Network protocol overview documentation file.\n */\n\n/**\n * @page network_protocol OpenVPN's network protocol\n *\n * Description of packet structure in OpenVPN's network protocol.\n *\n * This document describes the structure of packets exchanged between\n * OpenVPN peers. It is based on the protocol description in the \\c ssl.h\n * file.\n *\n * @section network_protocol_external Outer structure of packets exchanged between OpenVPN peers\n *\n * VPN tunnel packets are transported between OpenVPN peers using the UDP\n * or TCP protocols. Their structure is described below.\n *\n * @subsection network_protocol_external_structure External packet structure\n *\n * - packet length (16 bits, unsigned) [TCP-mode only]: always sent as\n * plain text. Since TCP is a stream protocol, this packet length\n * defines the packetization of the stream.\n * - packet opcode and key_id (8 bits) [TLS-mode only]:\n * - package message type (high 5 bits)\n * - key_id (low 3 bits): the key_id refers to an already negotiated\n * TLS session. OpenVPN seamlessly renegotiates the TLS session by\n * using a new key_id for the new session. Overlap (controlled by\n * user definable parameters) between old and new TLS sessions is\n * allowed, providing a seamless transition during tunnel operation.\n * - payload (n bytes)\n *\n * @subsection network_protocol_external_types Message types\n *\n * The type of a VPN tunnel packet is indicated by its opcode. The\n * following describes the various opcodes available.\n *\n * - Control channel messages:\n * - \\ref P_CONTROL_HARD_RESET_CLIENT_V1 -- %Key method 1, initial %key\n * from client, forget previous state.\n * - \\ref P_CONTROL_HARD_RESET_SERVER_V1 -- %Key method 1, initial %key\n * from server, forget previous state.\n * - \\ref P_CONTROL_HARD_RESET_CLIENT_V2 -- %Key method 2, initial %key\n * from client, forget previous state.\n * - \\ref P_CONTROL_HARD_RESET_SERVER_V2 -- %Key method 2, initial %key\n * from server, forget previous state.\n * - \\ref P_CONTROL_SOFT_RESET_V1 -- New %key, with a graceful\n * transition from old to new %key in the sense that a transition\n * window exists where both the old or new key_id can be used.\n * - \\ref P_CONTROL_V1 -- Control channel packet (usually TLS\n * ciphertext).\n * - \\ref P_ACK_V1 -- Acknowledgement for control channel packets\n * received.\n * - Data channel messages:\n * - \\ref P_DATA_V1 -- Data channel packet containing data channel\n * ciphertext.\n * - \\ref P_DATA_V2 -- Data channel packet containing peer-id and data\n * channel ciphertext.\n *\n * @subsection network_protocol_external_key_id Session IDs and Key IDs\n *\n * OpenVPN uses two different forms of packet identifiers:\n * - The first form is 64 bits and is used for all control channel\n * messages. This form is referred to as a \\c session_id.\n * - Data channel messages on the other hand use a shortened form of 3\n * bits for efficiency reasons since the vast majority of OpenVPN\n * packets in an active tunnel will be data channel messages. This\n * form is referred to as a \\c key_id.\n *\n * The control and data channels use independent packet-id sequences,\n * because the data channel is an unreliable channel while the control\n * channel is a %reliable channel. Each use their own independent HMAC\n * keys.\n *\n * @subsection network_protocol_external_reliable Control channel reliability layer\n *\n * Control channel messages (\\c P_CONTROL_* and \\c P_ACK_* message types)\n * are TLS ciphertext packets which have been encapsulated inside of a\n * reliability layer. The reliability layer is implemented as a\n * straightforward acknowledge and retransmit model.\n *\n * Acknowledgments of received messages can be encoded in either the\n * dedicated \\c P_ACK_* record or they can be prepended to a \\c\n * P_CONTROL_* message.\n *\n * See the \\link reliable Reliability Layer\\endlink module for a detailed\n * description.\n *\n * @section network_protocol_control Structure of control channel messages\n *\n * @subsection network_protocol_control_ciphertext Structure of ciphertext control channel messages\n *\n * Control channel packets in ciphertext form consist of the following\n * parts:\n *\n * - local \\c session_id (random 64 bit value to identify TLS session).\n * (the tls-server side uses a HMAC of the client to create a pseudo\n * random number for a SYN Cookie like approach)\n * - HMAC signature of entire encapsulation header for HMAC firewall\n * [only if \\c --tls-auth is specified] (usually 16 or 20 bytes).\n * - packet-id for replay protection (4 or 8 bytes, includes sequence\n * number and optional \\c time_t timestamp).\n * - acknowledgment packet-id array length (1 byte).\n * - acknowledgment packet-id array (if length > 0).\n * - acknowledgment remote session-id (if length > 0).\n * - packet-id of this message (4 bytes).\n * - TLS payload ciphertext (n bytes) (only for \\c P_CONTROL_V1).\n *\n * Note that when \\c --tls-auth is used, all message types are protected\n * with an HMAC signature, even the initial packets of the TLS handshake.\n * This makes it easy for OpenVPN to throw away bogus packets quickly,\n * without wasting resources on attempting a TLS handshake which will\n * ultimately fail.\n *\n * @subsection network_protocol_control_key_methods Control channel key methods\n *\n * Once the TLS session has been initialized and authenticated, the TLS\n * channel is used to exchange random %key material for bidirectional\n * cipher and HMAC keys which will be used to secure data channel packets.\n * OpenVPN currently implements two %key methods. %Key method 1 directly\n * derives keys using random bits obtained from the \\c rand_bytes() function.\n * %Key method 2 mixes random %key material from both sides of the connection\n * using the TLS PRF mixing function. %Key method 2 is the preferred method and\n * is the default for OpenVPN 2.0+.\n *\n * The @ref key_generation \"Data channel key generation\" related page\n * describes the %key methods in more detail.\n *\n * @subsection network_protocol_control_plaintext Structure of plaintext control channel messages\n *\n * - %Key method 1 (support removed in OpenVPN 2.5):\n * - Cipher %key length in bytes (1 byte).\n * - Cipher %key (n bytes).\n * - HMAC %key length in bytes (1 byte).\n * - HMAC %key (n bytes).\n * - %Options string (n bytes, null terminated, client/server %options\n * string should match).\n * - %Key method 2:\n * - Literal 0 (4 bytes).\n * - %Key method (1 byte).\n * - \\c key_source structure (\\c key_source.pre_master only defined\n * for client -> server).\n * - %Options string length, including null (2 bytes).\n * - %Options string (n bytes, null terminated, client/server %options\n * string must match).\n * - [The username/password data below is optional, record can end at\n * this point.]\n * - Username string length, including null (2 bytes).\n * - Username string (n bytes, null terminated).\n * - Password string length, including null (2 bytes).\n * - Password string (n bytes, null terminated).\n *\n * @section network_protocol_data Structure of data channel messages\n *\n * The P_DATA_* payload represents encapsulated tunnel packets which tend to be\n * either IP packets or Ethernet frames. This is essentially the \"payload\" of\n * the VPN. Data channel packets consist of a data channel header, and a\n * payload. There are two possible formats:\n *\n * @par P_DATA_V1\n * P_DATA_V1 packets have a 1-byte header, carrying the \\ref P_DATA_V1 \\c opcode\n * and \\c key_id, followed by the payload:\\n\n * [ 5-bit opcode | 3-bit key_id ] [ payload ] \n *\n * @par P_DATA_V2\n * P_DATA_V2 packets have the same 1-byte opcode/key_id, but carrying the \\ref\n * P_DATA_V2 opcode, followed by a 3-byte peer-id, which uniquely identifies\n * the peer:\\n\n * [ 5-bit opcode | 3-bit key_id ] [ 24-bit peer-id ] [ payload ] \n *\n * See @ref data_crypto for details on the data channel payload format.\n *\n */\n" }, { "path": "doc/doxygen/doc_reliable.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * Reliability Layer module documentation file.\n */\n\n/**\n * @defgroup reliable Reliability Layer module\n *\n * The Reliability Layer is part of OpenVPN's control channel. It\n * provides a reliable and sequential transport mechanism for control\n * channel messages between OpenVPN peers. This module forms the\n * interface between the \\link external_multiplexer External\n * Multiplexer\\endlink and the \\link control_tls Control Channel TLS\n * module\\endlink.\n *\n * @par UDP or TCP as VPN tunnel transport\n *\n * This is especially important when OpenVPN is configured to communicate\n * over UDP, because UDP does not offer a reliable and sequential\n * transport. OpenVPN endpoints can also communicate over TCP which does\n * provide a reliable and sequential transport. In both cases, using UDP\n * or TCP as an external transport, the internal Reliability Layer is\n * active.\n */\n" }, { "path": "doc/doxygen/doc_tunnel_state.h", "content": "/*\n * OpenVPN -- An application to securely tunnel IP networks\n * over a single TCP/UDP port, with support for SSL/TLS-based\n * session authentication and key exchange,\n * packet encryption, packet authentication, and\n * packet compression.\n *\n * Copyright (C) 2010-2026 Sentyron B.V. \n *\n *\n * This program is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License version 2\n * as published by the Free Software Foundation.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License along\n * with this program; if not, see .\n */\n\n/**\n * @file\n * VPN tunnel state documentation file.\n */\n\n/**\n * @page tunnel_state Structure of the VPN tunnel state storage\n *\n * This section describes how OpenVPN stores its VPN tunnel state during\n * operation.\n *\n * OpenVPN uses several data structures as storage containers for state\n * information of active VPN tunnels. These are described in this\n * section, together with a little bit of history to help understand the\n * origin of the current architecture.\n *\n * Whether an OpenVPN process is running in client-mode or server-mode\n * determines whether it can support only one or multiple simultaneously\n * active VPN tunnels. This consequently also determines how the\n * associated state information is wrapped up internally. This section\n * gives an overview of the differences.\n *\n * @section tunnel_state_history Historic developments\n *\n * In the old v1.x series, an OpenVPN process managed only one single VPN\n * tunnel. This allowed the VPN tunnel state to be stored together with\n * process-global information in one single \\c context structure.\n *\n * This changed, however, in the v2.x series, as new OpenVPN versions\n * running in server-mode can support multiple simultaneously active VPN\n * tunnels. This necessitated a redesign of the VPN tunnel state\n * container structures, and modification of the \\link\n * external_multiplexer External Multiplexer\\endlink and \\link\n * internal_multiplexer Internal Multiplexer\\endlink systems. The\n * majority of these changes are only relevant for OpenVPN processes\n * running in server-mode, and the client-mode structure has remained very\n * similar to the v1.x single-tunnel form.\n *\n * @section tunnel_state_client Client-mode state\n *\n * An OpenVPN process running in client-mode can manage at most one single\n * VPN tunnel at any one time. The state information for a client's VPN\n * tunnel is stored in a \\c context structure.\n *\n * The \\c context structure is created in the \\c main() function. That is\n * also where process-wide initialization takes place, such as parsing\n * command line %options and reading configuration files. The \\c context\n * is then passed to \\c tunnel_point_to_point() which drives OpenVPN's\n * main event processing loop. These functions are both part of the \\link\n * eventloop Main Event Loop\\endlink module.\n *\n * @subsection tunnel_state_client_init Initialization and cleanup\n *\n * Because there is only one \\c context structure present, it can be\n * initialized and cleaned up from the client's main event processing\n * function. Before the \\c tunnel_point_to_point() function enters its\n * event loop, it calls \\c init_instance_handle_signals() which calls \\c\n * init_instance() to initialize the single \\c context structure. After\n * the event loop stops, it calls \\c close_instance() to clean up the \\c\n * context.\n *\n * @subsection tunnel_state_client_event Event processing\n *\n * When the main event processing loop activates the external or internal\n * multiplexer to handle a network event, it is not necessary to determine\n * which VPN tunnel the event is associated with, because there is only\n * one VPN tunnel active.\n *\n * @section tunnel_state_server Server-mode state\n *\n * An OpenVPN process running in server-mode can manage multiple\n * simultaneously active VPN tunnels. For every VPN tunnel active, in\n * other words for every OpenVPN client which is connected to a server,\n * the OpenVPN server has one \\c context structure in which it stores that\n * particular VPN tunnel's state information.\n *\n * @subsection tunnel_state_server_multi Multi_context and multi_instance structures\n *\n * To support multiple \\c context structures, each is wrapped in a \\c\n * multi_instance structure, and all the \\c multi_instance structures are\n * registered in one single \\c multi_context structure. The \\link\n * external_multiplexer External Multiplexer\\endlink and \\link\n * internal_multiplexer Internal Multiplexer\\endlink then use the \\c\n * multi_context to retrieve the correct \\c multi_instance and \\c context\n * associated with a given network address.\n *\n * @subsection tunnel_state_server_init Startup and initialization\n *\n * An OpenVPN process running in server-mode starts in the same \\c main()\n * function as it would in client-mode. The same process-wide\n * initialization is performed, and the resulting state and configuration\n * is stored in a \\c context structure. The server-mode and client-mode\n * processes diverge when the \\c main() function calls one of \\c\n * tunnel_point_to_point() or \\c tunnel_server().\n *\n * In server-mode, \\c main() calls the \\c tunnel_server() function, which\n * transfers control to \\c tunnel_server_udp() or \\c\n * tunnel_server_tcp() depending on the external transport protocol.\n *\n * These functions receive the \\c context created in \\c main(). This\n * object has a special status in server-mode, as it does not represent an\n * active VPN tunnel, but does contain process-wide configuration\n * parameters. In the source code, it is often stored in \"top\" variables.\n * To distinguish this object from other instances of the same type, its\n * \\c context.mode value is set to \\c CM_TOP. Other \\c context objects,\n * which do represent active VPN tunnels, have a \\c context.mode set to \\c\n * CM_CHILD_UDP or \\c CM_CHILD_TCP, depending on the external transport\n * protocol.\n *\n * Both \\c tunnel_server_udp_single_threaded() and \\c tunnel_server_tcp()\n * perform similar initialization. In either case, a \\c multi_context\n * structure is created, and it is initialized according to the\n * configuration stored in the top \\c context by the \\c multi_init() and\n * \\c multi_top_init() functions.\n *\n * @subsection tunnel_state_server_tunnels Creating and destroying VPN tunnels\n *\n * When an OpenVPN client makes a new connection to a server, the server\n * creates a new \\c context and \\c multi_instance. The latter is\n * registered in the \\c multi_context, which makes it possible for the\n * external and internal multiplexers to retrieve the correct \\c\n * multi_instance and \\c context when a network event occurs.\n *\n * @subsection tunnel_state_server_cleanup Final cleanup\n *\n * After the main event loop exits, both \\c\n * tunnel_server_udp_single_threaded() and \\c tunnel_server_tcp() perform\n * similar cleanup. They call \\c multi_uninit() followed by \\c\n * multi_top_free() to clean up the \\c multi_context structure.\n */\n" }, { "path": "doc/doxygen/openvpn.doxyfile.in", "content": "# Doxyfile 1.9.1\n\n# This file describes the settings to be used by the documentation system\n# doxygen (www.doxygen.org) for a project.\n#\n# All text after a double hash (##) is considered a comment and is placed in\n# front of the TAG it is preceding.\n#\n# All text after a single hash (#) is considered a comment and will be ignored.\n# The format is:\n# TAG = value [value, ...]\n# For lists, items can also be appended using:\n# TAG += value [value, ...]\n# Values that contain spaces should be placed between quotes (\\\" \\\").\n\n#---------------------------------------------------------------------------\n# Project related configuration options\n#---------------------------------------------------------------------------\n\n# This tag specifies the encoding used for all characters in the configuration\n# file that follow. The default is UTF-8 which is also the encoding used for all\n# text before the first occurrence of this tag. Doxygen uses libiconv (or the\n# iconv built into libc) for the transcoding. See\n# https://www.gnu.org/software/libiconv/ for the list of possible encodings.\n# The default value is: UTF-8.\n\nDOXYFILE_ENCODING = UTF-8\n\n# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by\n# double-quotes, unless you are using Doxywizard) that should identify the\n# project for which the documentation is generated. This name is used in the\n# title of most generated pages and in a few other places.\n# The default value is: My Project.\n\nPROJECT_NAME = OpenVPN\n\n# The PROJECT_NUMBER tag can be used to enter a project or revision number. This\n# could be handy for archiving the generated documentation or if some version\n# control system is used.\n\nPROJECT_NUMBER =\n\n# Using the PROJECT_BRIEF tag one can provide an optional one line description\n# for a project that appears at the top of each page and should give viewer a\n# quick idea about the purpose of the project. Keep the description short.\n\nPROJECT_BRIEF =\n\n# With the PROJECT_LOGO tag one can specify a logo or an icon that is included\n# in the documentation. The maximum height of the logo should not exceed 55\n# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy\n# the logo to the output directory.\n\nPROJECT_LOGO =\n\n# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path\n# into which the generated documentation will be written. If a relative path is\n# entered, it will be relative to the location where doxygen was started. If\n# left blank the current directory will be used.\n\nOUTPUT_DIRECTORY = @abs_top_builddir@/doc/doxygen\n\n# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-\n# directories (in 2 levels) under the output directory of each output format and\n# will distribute the generated files over these directories. Enabling this\n# option can be useful when feeding doxygen a huge amount of source files, where\n# putting all generated files in the same directory would otherwise causes\n# performance problems for the file system.\n# The default value is: NO.\n\nCREATE_SUBDIRS = NO\n\n# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII\n# characters to appear in the names of generated files. If set to NO, non-ASCII\n# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode\n# U+3044.\n# The default value is: NO.\n\nALLOW_UNICODE_NAMES = NO\n\n# The OUTPUT_LANGUAGE tag is used to specify the language in which all\n# documentation generated by doxygen is written. Doxygen will use this\n# information to generate all constant output in the proper language.\n# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,\n# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),\n# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,\n# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),\n# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,\n# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,\n# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,\n# Ukrainian and Vietnamese.\n# The default value is: English.\n\nOUTPUT_LANGUAGE = English\n\n# The OUTPUT_TEXT_DIRECTION tag is used to specify the direction in which all\n# documentation generated by doxygen is written. Doxygen will use this\n# information to generate all generated output in the proper direction.\n# Possible values are: None, LTR, RTL and Context.\n# The default value is: None.\n\nOUTPUT_TEXT_DIRECTION = None\n\n# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member\n# descriptions after the members that are listed in the file and class\n# documentation (similar to Javadoc). Set to NO to disable this.\n# The default value is: YES.\n\nBRIEF_MEMBER_DESC = YES\n\n# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief\n# description of a member or function before the detailed description\n#\n# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the\n# brief descriptions will be completely suppressed.\n# The default value is: YES.\n\nREPEAT_BRIEF = YES\n\n# This tag implements a quasi-intelligent brief description abbreviator that is\n# used to form the text in various listings. Each string in this list, if found\n# as the leading text of the brief description, will be stripped from the text\n# and the result, after processing the whole list, is used as the annotated\n# text. Otherwise, the brief description is used as-is. If left blank, the\n# following values are used ($name is automatically replaced with the name of\n# the entity):The $name class, The $name widget, The $name file, is, provides,\n# specifies, contains, represents, a, an and the.\n\nABBREVIATE_BRIEF = \"The $name class\" \\\n \"The $name widget\" \\\n \"The $name file\" \\\n is \\\n provides \\\n specifies \\\n contains \\\n represents \\\n a \\\n an \\\n the\n\n# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then\n# doxygen will generate a detailed section even if there is only a brief\n# description.\n# The default value is: NO.\n\nALWAYS_DETAILED_SEC = NO\n\n# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all\n# inherited members of a class in the documentation of that class as if those\n# members were ordinary class members. Constructors, destructors and assignment\n# operators of the base classes will not be shown.\n# The default value is: NO.\n\nINLINE_INHERITED_MEMB = NO\n\n# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path\n# before files name in the file list and in the header files. If set to NO the\n# shortest path that makes the file name unique will be used\n# The default value is: YES.\n\nFULL_PATH_NAMES = YES\n\n# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.\n# Stripping is only done if one of the specified strings matches the left-hand\n# part of the path. The tag can be used to show relative paths in the file list.\n# If left blank the directory from which doxygen is run is used as the path to\n# strip.\n#\n# Note that you can specify absolute paths here, but also relative paths, which\n# will be relative from the directory where doxygen is started.\n# This tag requires that the tag FULL_PATH_NAMES is set to YES.\n\nSTRIP_FROM_PATH = @abs_top_srcdir@\n\n# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the\n# path mentioned in the documentation of a class, which tells the reader which\n# header file to include in order to use a class. If left blank only the name of\n# the header file containing the class definition is used. Otherwise one should\n# specify the list of include paths that are normally passed to the compiler\n# using the -I flag.\n\nSTRIP_FROM_INC_PATH =\n\n# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but\n# less readable) file names. This can be useful is your file systems doesn't\n# support long names like on DOS, Mac, or CD-ROM.\n# The default value is: NO.\n\nSHORT_NAMES = NO\n\n# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the\n# first line (until the first dot) of a Javadoc-style comment as the brief\n# description. If set to NO, the Javadoc-style will behave just like regular Qt-\n# style comments (thus requiring an explicit @brief command for a brief\n# description.)\n# The default value is: NO.\n\nJAVADOC_AUTOBRIEF = YES\n\n# If the JAVADOC_BANNER tag is set to YES then doxygen will interpret a line\n# such as\n# /***************\n# as being the beginning of a Javadoc-style comment \"banner\". If set to NO, the\n# Javadoc-style will behave just like regular comments and it will not be\n# interpreted by doxygen.\n# The default value is: NO.\n\nJAVADOC_BANNER = NO\n\n# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first\n# line (until the first dot) of a Qt-style comment as the brief description. If\n# set to NO, the Qt-style will behave just like regular Qt-style comments (thus\n# requiring an explicit \\brief command for a brief description.)\n# The default value is: NO.\n\nQT_AUTOBRIEF = NO\n\n# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a\n# multi-line C++ special comment block (i.e. a block of //! or /// comments) as\n# a brief description. This used to be the default behavior. The new default is\n# to treat a multi-line C++ comment block as a detailed description. Set this\n# tag to YES if you prefer the old behavior instead.\n#\n# Note that setting this tag to YES also means that rational rose comments are\n# not recognized any more.\n# The default value is: NO.\n\nMULTILINE_CPP_IS_BRIEF = NO\n\n# By default Python docstrings are displayed as preformatted text and doxygen's\n# special commands cannot be used. By setting PYTHON_DOCSTRING to NO the\n# doxygen's special commands can be used and the contents of the docstring\n# documentation blocks is shown as doxygen documentation.\n# The default value is: YES.\n\nPYTHON_DOCSTRING = YES\n\n# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the\n# documentation from any documented member that it re-implements.\n# The default value is: YES.\n\nINHERIT_DOCS = YES\n\n# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new\n# page for each member. If set to NO, the documentation of a member will be part\n# of the file/class/namespace that contains it.\n# The default value is: NO.\n\nSEPARATE_MEMBER_PAGES = NO\n\n# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen\n# uses this value to replace tabs by spaces in code fragments.\n# Minimum value: 1, maximum value: 16, default value: 4.\n\nTAB_SIZE = 8\n\n# This tag can be used to specify a number of aliases that act as commands in\n# the documentation. An alias has the form:\n# name=value\n# For example adding\n# \"sideeffect=@par Side Effects:\\n\"\n# will allow you to put the command \\sideeffect (or @sideeffect) in the\n# documentation, which will result in a user-defined paragraph with heading\n# \"Side Effects:\". You can put \\n's in the value part of an alias to insert\n# newlines (in the resulting output). You can put ^^ in the value part of an\n# alias to insert a newline as if a physical newline was in the original file.\n# When you need a literal { or } or , in the value part of an alias you have to\n# escape them by means of a backslash (\\), this can lead to conflicts with the\n# commands \\{ and \\} for these it is advised to use the version @{ and @} or use\n# a double escape (\\\\{ and \\\\})\n\nALIASES =\n\n# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources\n# only. Doxygen will then generate output that is more tailored for C. For\n# instance, some of the names that are used will be different. The list of all\n# members will be omitted, etc.\n# The default value is: NO.\n\nOPTIMIZE_OUTPUT_FOR_C = YES\n\n# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or\n# Python sources only. Doxygen will then generate output that is more tailored\n# for that language. For instance, namespaces will be presented as packages,\n# qualified scopes will look different, etc.\n# The default value is: NO.\n\nOPTIMIZE_OUTPUT_JAVA = NO\n\n# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran\n# sources. Doxygen will then generate output that is tailored for Fortran.\n# The default value is: NO.\n\nOPTIMIZE_FOR_FORTRAN = NO\n\n# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL\n# sources. Doxygen will then generate output that is tailored for VHDL.\n# The default value is: NO.\n\nOPTIMIZE_OUTPUT_VHDL = NO\n\n# Set the OPTIMIZE_OUTPUT_SLICE tag to YES if your project consists of Slice\n# sources only. Doxygen will then generate output that is more tailored for that\n# language. For instance, namespaces will be presented as modules, types will be\n# separated into more groups, etc.\n# The default value is: NO.\n\nOPTIMIZE_OUTPUT_SLICE = NO\n\n# Doxygen selects the parser to use depending on the extension of the files it\n# parses. With this tag you can assign which parser to use for a given\n# extension. Doxygen has a built-in mapping, but you can override or extend it\n# using this tag. The format is ext=language, where ext is a file extension, and\n# language is one of the parsers supported by doxygen: IDL, Java, JavaScript,\n# Csharp (C#), C, C++, D, PHP, md (Markdown), Objective-C, Python, Slice, VHDL,\n# Fortran (fixed format Fortran: FortranFixed, free formatted Fortran:\n# FortranFree, unknown formatted Fortran: Fortran. In the later case the parser\n# tries to guess whether the code is fixed or free formatted code, this is the\n# default for Fortran type files). For instance to make doxygen treat .inc files\n# as Fortran files (default is PHP), and .f files as C (default is Fortran),\n# use: inc=Fortran f=C.\n#\n# Note: For files without extension you can use no_extension as a placeholder.\n#\n# Note that for custom extensions you also need to set FILE_PATTERNS otherwise\n# the files are not read by doxygen. When specifying no_extension you should add\n# * to the FILE_PATTERNS.\n#\n# Note see also the list of default file extension mappings.\n\nEXTENSION_MAPPING =\n\n# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments\n# according to the Markdown format, which allows for more readable\n# documentation. See https://daringfireball.net/projects/markdown/ for details.\n# The output of markdown processing is further processed by doxygen, so you can\n# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in\n# case of backward compatibilities issues.\n# The default value is: YES.\n\nMARKDOWN_SUPPORT = YES\n\n# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up\n# to that level are automatically included in the table of contents, even if\n# they do not have an id attribute.\n# Note: This feature currently applies only to Markdown headings.\n# Minimum value: 0, maximum value: 99, default value: 5.\n# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.\n\nTOC_INCLUDE_HEADINGS = 5\n\n# When enabled doxygen tries to link words that correspond to documented\n# classes, or namespaces to their corresponding documentation. Such a link can\n# be prevented in individual cases by putting a % sign in front of the word or\n# globally by setting AUTOLINK_SUPPORT to NO.\n# The default value is: YES.\n\nAUTOLINK_SUPPORT = YES\n\n# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want\n# to include (a tag file for) the STL sources as input, then you should set this\n# tag to YES in order to let doxygen match functions declarations and\n# definitions whose arguments contain STL classes (e.g. func(std::string);\n# versus func(std::string) {}). This also make the inheritance and collaboration\n# diagrams that involve STL classes more complete and accurate.\n# The default value is: NO.\n\nBUILTIN_STL_SUPPORT = NO\n\n# If you use Microsoft's C++/CLI language, you should set this option to YES to\n# enable parsing support.\n# The default value is: NO.\n\nCPP_CLI_SUPPORT = NO\n\n# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:\n# https://www.riverbankcomputing.com/software/sip/intro) sources only. Doxygen\n# will parse them like normal C++ but will assume all classes use public instead\n# of private inheritance when no explicit protection keyword is present.\n# The default value is: NO.\n\nSIP_SUPPORT = NO\n\n# For Microsoft's IDL there are propget and propput attributes to indicate\n# getter and setter methods for a property. Setting this option to YES will make\n# doxygen to replace the get and set methods by a property in the documentation.\n# This will only work if the methods are indeed getting or setting a simple\n# type. If this is not the case, or you want to show the methods anyway, you\n# should set this option to NO.\n# The default value is: YES.\n\nIDL_PROPERTY_SUPPORT = YES\n\n# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC\n# tag is set to YES then doxygen will reuse the documentation of the first\n# member in the group (if any) for the other members of the group. By default\n# all members of a group must be documented explicitly.\n# The default value is: NO.\n\nDISTRIBUTE_GROUP_DOC = NO\n\n# If one adds a struct or class to a group and this option is enabled, then also\n# any nested class or struct is added to the same group. By default this option\n# is disabled and one has to add nested compounds explicitly via \\ingroup.\n# The default value is: NO.\n\nGROUP_NESTED_COMPOUNDS = NO\n\n# Set the SUBGROUPING tag to YES to allow class member groups of the same type\n# (for instance a group of public functions) to be put as a subgroup of that\n# type (e.g. under the Public Functions section). Set it to NO to prevent\n# subgrouping. Alternatively, this can be done per class using the\n# \\nosubgrouping command.\n# The default value is: YES.\n\nSUBGROUPING = YES\n\n# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions\n# are shown inside the group in which they are included (e.g. using \\ingroup)\n# instead of on a separate page (for HTML and Man pages) or section (for LaTeX\n# and RTF).\n#\n# Note that this feature does not work in combination with\n# SEPARATE_MEMBER_PAGES.\n# The default value is: NO.\n\nINLINE_GROUPED_CLASSES = NO\n\n# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions\n# with only public data fields or simple typedef fields will be shown inline in\n# the documentation of the scope in which they are defined (i.e. file,\n# namespace, or group documentation), provided this scope is documented. If set\n# to NO, structs, classes, and unions are shown on a separate page (for HTML and\n# Man pages) or section (for LaTeX and RTF).\n# The default value is: NO.\n\nINLINE_SIMPLE_STRUCTS = NO\n\n# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or\n# enum is documented as struct, union, or enum with the name of the typedef. So\n# typedef struct TypeS {} TypeT, will appear in the documentation as a struct\n# with name TypeT. When disabled the typedef will appear as a member of a file,\n# namespace, or class. And the struct will be named TypeS. This can typically be\n# useful for C code in case the coding convention dictates that all compound\n# types are typedef'ed and only the typedef is referenced, never the tag name.\n# The default value is: NO.\n\nTYPEDEF_HIDES_STRUCT = NO\n\n# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This\n# cache is used to resolve symbols given their name and scope. Since this can be\n# an expensive process and often the same symbol appears multiple times in the\n# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small\n# doxygen will become slower. If the cache is too large, memory is wasted. The\n# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range\n# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536\n# symbols. At the end of a run doxygen will report the cache usage and suggest\n# the optimal cache size from a speed point of view.\n# Minimum value: 0, maximum value: 9, default value: 0.\n\nLOOKUP_CACHE_SIZE = 0\n\n# The NUM_PROC_THREADS specifies the number threads doxygen is allowed to use\n# during processing. When set to 0 doxygen will based this on the number of\n# cores available in the system. You can set it explicitly to a value larger\n# than 0 to get more control over the balance between CPU load and processing\n# speed. At this moment only the input processing can be done using multiple\n# threads. Since this is still an experimental feature the default is set to 1,\n# which efficively disables parallel processing. Please report any issues you\n# encounter. Generating dot graphs in parallel is controlled by the\n# DOT_NUM_THREADS setting.\n# Minimum value: 0, maximum value: 32, default value: 1.\n\nNUM_PROC_THREADS = 1\n\n#---------------------------------------------------------------------------\n# Build related configuration options\n#---------------------------------------------------------------------------\n\n# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in\n# documentation are documented, even if no documentation was available. Private\n# class members and static file members will be hidden unless the\n# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.\n# Note: This will also disable the warnings about undocumented members that are\n# normally produced when WARNINGS is set to YES.\n# The default value is: NO.\n\nEXTRACT_ALL = YES\n\n# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will\n# be included in the documentation.\n# The default value is: NO.\n\nEXTRACT_PRIVATE = YES\n\n# If the EXTRACT_PRIV_VIRTUAL tag is set to YES, documented private virtual\n# methods of a class will be included in the documentation.\n# The default value is: NO.\n\nEXTRACT_PRIV_VIRTUAL = NO\n\n# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal\n# scope will be included in the documentation.\n# The default value is: NO.\n\nEXTRACT_PACKAGE = NO\n\n# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be\n# included in the documentation.\n# The default value is: NO.\n\nEXTRACT_STATIC = YES\n\n# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined\n# locally in source files will be included in the documentation. If set to NO,\n# only classes defined in header files are included. Does not have any effect\n# for Java sources.\n# The default value is: YES.\n\nEXTRACT_LOCAL_CLASSES = YES\n\n# This flag is only useful for Objective-C code. If set to YES, local methods,\n# which are defined in the implementation section but not in the interface are\n# included in the documentation. If set to NO, only methods in the interface are\n# included.\n# The default value is: NO.\n\nEXTRACT_LOCAL_METHODS = YES\n\n# If this flag is set to YES, the members of anonymous namespaces will be\n# extracted and appear in the documentation as a namespace called\n# 'anonymous_namespace{file}', where file will be replaced with the base name of\n# the file that contains the anonymous namespace. By default anonymous namespace\n# are hidden.\n# The default value is: NO.\n\nEXTRACT_ANON_NSPACES = YES\n\n# If this flag is set to YES, the name of an unnamed parameter in a declaration\n# will be determined by the corresponding definition. By default unnamed\n# parameters remain unnamed in the output.\n# The default value is: YES.\n\nRESOLVE_UNNAMED_PARAMS = YES\n\n# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all\n# undocumented members inside documented classes or files. If set to NO these\n# members will be included in the various overviews, but no documentation\n# section is generated. This option has no effect if EXTRACT_ALL is enabled.\n# The default value is: NO.\n\nHIDE_UNDOC_MEMBERS = NO\n\n# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all\n# undocumented classes that are normally visible in the class hierarchy. If set\n# to NO, these classes will be included in the various overviews. This option\n# has no effect if EXTRACT_ALL is enabled.\n# The default value is: NO.\n\nHIDE_UNDOC_CLASSES = NO\n\n# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend\n# declarations. If set to NO, these declarations will be included in the\n# documentation.\n# The default value is: NO.\n\nHIDE_FRIEND_COMPOUNDS = NO\n\n# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any\n# documentation blocks found inside the body of a function. If set to NO, these\n# blocks will be appended to the function's detailed documentation block.\n# The default value is: NO.\n\nHIDE_IN_BODY_DOCS = NO\n\n# The INTERNAL_DOCS tag determines if documentation that is typed after a\n# \\internal command is included. If the tag is set to NO then the documentation\n# will be excluded. Set it to YES to include the internal documentation.\n# The default value is: NO.\n\nINTERNAL_DOCS = NO\n\n# With the correct setting of option CASE_SENSE_NAMES doxygen will better be\n# able to match the capabilities of the underlying filesystem. In case the\n# filesystem is case sensitive (i.e. it supports files in the same directory\n# whose names only differ in casing), the option must be set to YES to properly\n# deal with such files in case they appear in the input. For filesystems that\n# are not case sensitive the option should be be set to NO to properly deal with\n# output files written for symbols that only differ in casing, such as for two\n# classes, one named CLASS and the other named Class, and to also support\n# references to files without having to specify the exact matching casing. On\n# Windows (including Cygwin) and MacOS, users should typically set this option\n# to NO, whereas on Linux or other Unix flavors it should typically be set to\n# YES.\n# The default value is: system dependent.\n\nCASE_SENSE_NAMES = NO\n\n# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with\n# their full class and namespace scopes in the documentation. If set to YES, the\n# scope will be hidden.\n# The default value is: NO.\n\nHIDE_SCOPE_NAMES = NO\n\n# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will\n# append additional text to a page's title, such as Class Reference. If set to\n# YES the compound reference will be hidden.\n# The default value is: NO.\n\nHIDE_COMPOUND_REFERENCE= NO\n\n# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of\n# the files that are included by a file in the documentation of that file.\n# The default value is: YES.\n\nSHOW_INCLUDE_FILES = YES\n\n# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each\n# grouped member an include statement to the documentation, telling the reader\n# which file to include in order to use the member.\n# The default value is: NO.\n\nSHOW_GROUPED_MEMB_INC = NO\n\n# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include\n# files with double quotes in the documentation rather than with sharp brackets.\n# The default value is: NO.\n\nFORCE_LOCAL_INCLUDES = NO\n\n# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the\n# documentation for inline members.\n# The default value is: YES.\n\nINLINE_INFO = YES\n\n# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the\n# (detailed) documentation of file and class members alphabetically by member\n# name. If set to NO, the members will appear in declaration order.\n# The default value is: YES.\n\nSORT_MEMBER_DOCS = YES\n\n# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief\n# descriptions of file, namespace and class members alphabetically by member\n# name. If set to NO, the members will appear in declaration order. Note that\n# this will also influence the order of the classes in the class list.\n# The default value is: NO.\n\nSORT_BRIEF_DOCS = NO\n\n# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the\n# (brief and detailed) documentation of class members so that constructors and\n# destructors are listed first. If set to NO the constructors will appear in the\n# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.\n# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief\n# member documentation.\n# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting\n# detailed member documentation.\n# The default value is: NO.\n\nSORT_MEMBERS_CTORS_1ST = NO\n\n# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy\n# of group names into alphabetical order. If set to NO the group names will\n# appear in their defined order.\n# The default value is: NO.\n\nSORT_GROUP_NAMES = NO\n\n# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by\n# fully-qualified names, including namespaces. If set to NO, the class list will\n# be sorted only by class name, not including the namespace part.\n# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.\n# Note: This option applies only to the class list, not to the alphabetical\n# list.\n# The default value is: NO.\n\nSORT_BY_SCOPE_NAME = NO\n\n# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper\n# type resolution of all parameters of a function it will reject a match between\n# the prototype and the implementation of a member function even if there is\n# only one candidate or it is obvious which candidate to choose by doing a\n# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still\n# accept a match between prototype and implementation in such cases.\n# The default value is: NO.\n\nSTRICT_PROTO_MATCHING = NO\n\n# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo\n# list. This list is created by putting \\todo commands in the documentation.\n# The default value is: YES.\n\nGENERATE_TODOLIST = YES\n\n# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test\n# list. This list is created by putting \\test commands in the documentation.\n# The default value is: YES.\n\nGENERATE_TESTLIST = YES\n\n# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug\n# list. This list is created by putting \\bug commands in the documentation.\n# The default value is: YES.\n\nGENERATE_BUGLIST = YES\n\n# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)\n# the deprecated list. This list is created by putting \\deprecated commands in\n# the documentation.\n# The default value is: YES.\n\nGENERATE_DEPRECATEDLIST= YES\n\n# The ENABLED_SECTIONS tag can be used to enable conditional documentation\n# sections, marked by \\if ... \\endif and \\cond \n# ... \\endcond blocks.\n\nENABLED_SECTIONS =\n\n# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the\n# initial value of a variable or macro / define can have for it to appear in the\n# documentation. If the initializer consists of more lines than specified here\n# it will be hidden. Use a value of 0 to hide initializers completely. The\n# appearance of the value of individual variables and macros / defines can be\n# controlled using \\showinitializer or \\hideinitializer command in the\n# documentation regardless of this setting.\n# Minimum value: 0, maximum value: 10000, default value: 30.\n\nMAX_INITIALIZER_LINES = 30\n\n# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at\n# the bottom of the documentation of classes and structs. If set to YES, the\n# list will mention the files that were used to generate the documentation.\n# The default value is: YES.\n\nSHOW_USED_FILES = YES\n\n# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This\n# will remove the Files entry from the Quick Index and from the Folder Tree View\n# (if specified).\n# The default value is: YES.\n\nSHOW_FILES = YES\n\n# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces\n# page. This will remove the Namespaces entry from the Quick Index and from the\n# Folder Tree View (if specified).\n# The default value is: YES.\n\nSHOW_NAMESPACES = YES\n\n# The FILE_VERSION_FILTER tag can be used to specify a program or script that\n# doxygen should invoke to get the current version for each file (typically from\n# the version control system). Doxygen will invoke the program by executing (via\n# popen()) the command command input-file, where command is the value of the\n# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided\n# by doxygen. Whatever the program writes to standard output is used as the file\n# version. For an example see the documentation.\n\nFILE_VERSION_FILTER =\n\n# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed\n# by doxygen. The layout file controls the global structure of the generated\n# output files in an output format independent way. To create the layout file\n# that represents doxygen's defaults, run doxygen with the -l option. You can\n# optionally specify a file name after the option, if omitted DoxygenLayout.xml\n# will be used as the name of the layout file.\n#\n# Note that if you run doxygen from a directory containing a file called\n# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE\n# tag is left empty.\n\nLAYOUT_FILE =\n\n# The CITE_BIB_FILES tag can be used to specify one or more bib files containing\n# the reference definitions. This must be a list of .bib files. The .bib\n# extension is automatically appended if omitted. This requires the bibtex tool\n# to be installed. See also https://en.wikipedia.org/wiki/BibTeX for more info.\n# For LaTeX the style of the bibliography can be controlled using\n# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the\n# search path. See also \\cite for info how to create references.\n\nCITE_BIB_FILES =\n\n#---------------------------------------------------------------------------\n# Configuration options related to warning and progress messages\n#---------------------------------------------------------------------------\n\n# The QUIET tag can be used to turn on/off the messages that are generated to\n# standard output by doxygen. If QUIET is set to YES this implies that the\n# messages are off.\n# The default value is: NO.\n\nQUIET = NO\n\n# The WARNINGS tag can be used to turn on/off the warning messages that are\n# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES\n# this implies that the warnings are on.\n#\n# Tip: Turn warnings on while writing the documentation.\n# The default value is: YES.\n\nWARNINGS = YES\n\n# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate\n# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag\n# will automatically be disabled.\n# The default value is: YES.\n\nWARN_IF_UNDOCUMENTED = YES\n\n# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for\n# potential errors in the documentation, such as not documenting some parameters\n# in a documented function, or documenting parameters that don't exist or using\n# markup commands wrongly.\n# The default value is: YES.\n\nWARN_IF_DOC_ERROR = YES\n\n# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that\n# are documented, but have no documentation for their parameters or return\n# value. If set to NO, doxygen will only warn about wrong or incomplete\n# parameter documentation, but not about the absence of documentation. If\n# EXTRACT_ALL is set to YES then this flag will automatically be disabled.\n# The default value is: NO.\n\nWARN_NO_PARAMDOC = NO\n\n# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when\n# a warning is encountered. If the WARN_AS_ERROR tag is set to FAIL_ON_WARNINGS\n# then doxygen will continue running as if WARN_AS_ERROR tag is set to NO, but\n# at the end of the doxygen process doxygen will return with a non-zero status.\n# Possible values are: NO, YES and FAIL_ON_WARNINGS.\n# The default value is: NO.\n\nWARN_AS_ERROR = NO\n\n# The WARN_FORMAT tag determines the format of the warning messages that doxygen\n# can produce. The string should contain the $file, $line, and $text tags, which\n# will be replaced by the file and line number from which the warning originated\n# and the warning text. Optionally the format may contain $version, which will\n# be replaced by the version of the file (if it could be obtained via\n# FILE_VERSION_FILTER)\n# The default value is: $file:$line: $text.\n\nWARN_FORMAT = \"$file:$line: $text\"\n\n# The WARN_LOGFILE tag can be used to specify a file to which warning and error\n# messages should be written. If left blank the output is written to standard\n# error (stderr).\n\nWARN_LOGFILE = @abs_top_builddir@/doc/doxygen.warnings.log\n\n#---------------------------------------------------------------------------\n# Configuration options related to the input files\n#---------------------------------------------------------------------------\n\n# The INPUT tag is used to specify the files and/or directories that contain\n# documented source files. You may enter file names like myfile.cpp or\n# directories like /usr/src/myproject. Separate the files or directories with\n# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING\n# Note: If this tag is empty the current directory is searched.\n\nINPUT = @abs_top_srcdir@\n\n# This tag can be used to specify the character encoding of the source files\n# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses\n# libiconv (or the iconv built into libc) for the transcoding. See the libiconv\n# documentation (see:\n# https://www.gnu.org/software/libiconv/) for the list of possible encodings.\n# The default value is: UTF-8.\n\nINPUT_ENCODING = UTF-8\n\n# If the value of the INPUT tag contains directories, you can use the\n# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and\n# *.h) to filter out the source-files in the directories.\n#\n# Note that for custom extensions or not directly supported extensions you also\n# need to set EXTENSION_MAPPING for the extension otherwise the files are not\n# read by doxygen.\n#\n# Note the list of default checked file patterns might differ from the list of\n# default file extension mappings.\n#\n# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,\n# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,\n# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,\n# *.m, *.markdown, *.md, *.mm, *.dox (to be provided as doxygen C comment),\n# *.py, *.pyw, *.f90, *.f95, *.f03, *.f08, *.f18, *.f, *.for, *.vhd, *.vhdl,\n# *.ucf, *.qsf and *.ice.\n\nFILE_PATTERNS = *.c \\\n *.h\n\n# The RECURSIVE tag can be used to specify whether or not subdirectories should\n# be searched for input files as well.\n# The default value is: NO.\n\nRECURSIVE = YES\n\n# The EXCLUDE tag can be used to specify files and/or directories that should be\n# excluded from the INPUT source files. This way you can easily exclude a\n# subdirectory from a directory tree whose root is specified with the INPUT tag.\n#\n# Note that relative paths are relative to the directory from which doxygen is\n# run.\n\nEXCLUDE = @abs_top_srcdir@/out/\n\n# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or\n# directories that are symbolic links (a Unix file system feature) are excluded\n# from the input.\n# The default value is: NO.\n\nEXCLUDE_SYMLINKS = NO\n\n# If the value of the INPUT tag contains directories, you can use the\n# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude\n# certain files from those directories.\n#\n# Note that the wildcards are matched against the file with absolute path, so to\n# exclude all test directories for example use the pattern */test/*\n\nEXCLUDE_PATTERNS =\n\n# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names\n# (namespaces, classes, functions, etc.) that should be excluded from the\n# output. The symbol name can be a fully qualified name, a word, or if the\n# wildcard * is used, a substring. Examples: ANamespace, AClass,\n# AClass::ANamespace, ANamespace::*Test\n#\n# Note that the wildcards are matched against the file with absolute path, so to\n# exclude all test directories use the pattern */test/*\n\nEXCLUDE_SYMBOLS =\n\n# The EXAMPLE_PATH tag can be used to specify one or more files or directories\n# that contain example code fragments that are included (see the \\include\n# command).\n\nEXAMPLE_PATH =\n\n# If the value of the EXAMPLE_PATH tag contains directories, you can use the\n# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and\n# *.h) to filter out the source-files in the directories. If left blank all\n# files are included.\n\nEXAMPLE_PATTERNS = *\n\n# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be\n# searched for input files to be used with the \\include or \\dontinclude commands\n# irrespective of the value of the RECURSIVE tag.\n# The default value is: NO.\n\nEXAMPLE_RECURSIVE = NO\n\n# The IMAGE_PATH tag can be used to specify one or more files or directories\n# that contain images that are to be included in the documentation (see the\n# \\image command).\n\nIMAGE_PATH =\n\n# The INPUT_FILTER tag can be used to specify a program that doxygen should\n# invoke to filter for each input file. Doxygen will invoke the filter program\n# by executing (via popen()) the command:\n#\n# \n#\n# where is the value of the INPUT_FILTER tag, and is the\n# name of an input file. Doxygen will then use the output that the filter\n# program writes to standard output. If FILTER_PATTERNS is specified, this tag\n# will be ignored.\n#\n# Note that the filter must not add or remove lines; it is applied before the\n# code is scanned, but not when the output code is generated. If lines are added\n# or removed, the anchors will not be placed correctly.\n#\n# Note that for custom extensions or not directly supported extensions you also\n# need to set EXTENSION_MAPPING for the extension otherwise the files are not\n# properly processed by doxygen.\n\nINPUT_FILTER =\n\n# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern\n# basis. Doxygen will compare the file name with each pattern and apply the\n# filter if there is a match. The filters are a list of the form: pattern=filter\n# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how\n# filters are used. If the FILTER_PATTERNS tag is empty or if none of the\n# patterns match the file name, INPUT_FILTER is applied.\n#\n# Note that for custom extensions or not directly supported extensions you also\n# need to set EXTENSION_MAPPING for the extension otherwise the files are not\n# properly processed by doxygen.\n\nFILTER_PATTERNS =\n\n# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using\n# INPUT_FILTER) will also be used to filter the input files that are used for\n# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).\n# The default value is: NO.\n\nFILTER_SOURCE_FILES = NO\n\n# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file\n# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and\n# it is also possible to disable source filtering for a specific pattern using\n# *.ext= (so without naming a filter).\n# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.\n\nFILTER_SOURCE_PATTERNS =\n\n# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that\n# is part of the input, its contents will be placed on the main page\n# (index.html). This can be useful if you have a project on for instance GitHub\n# and want to reuse the introduction page also for the doxygen output.\n\nUSE_MDFILE_AS_MAINPAGE =\n\n#---------------------------------------------------------------------------\n# Configuration options related to source browsing\n#---------------------------------------------------------------------------\n\n# If the SOURCE_BROWSER tag is set to YES then a list of source files will be\n# generated. Documented entities will be cross-referenced with these sources.\n#\n# Note: To get rid of all source code in the generated output, make sure that\n# also VERBATIM_HEADERS is set to NO.\n# The default value is: NO.\n\nSOURCE_BROWSER = YES\n\n# Setting the INLINE_SOURCES tag to YES will include the body of functions,\n# classes and enums directly into the documentation.\n# The default value is: NO.\n\nINLINE_SOURCES = NO\n\n# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any\n# special comment blocks from generated source code fragments. Normal C, C++ and\n# Fortran comments will always remain visible.\n# The default value is: YES.\n\nSTRIP_CODE_COMMENTS = YES\n\n# If the REFERENCED_BY_RELATION tag is set to YES then for each documented\n# entity all documented functions referencing it will be listed.\n# The default value is: NO.\n\nREFERENCED_BY_RELATION = YES\n\n# If the REFERENCES_RELATION tag is set to YES then for each documented function\n# all documented entities called/used by that function will be listed.\n# The default value is: NO.\n\nREFERENCES_RELATION = YES\n\n# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set\n# to YES then the hyperlinks from functions in REFERENCES_RELATION and\n# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will\n# link to the documentation.\n# The default value is: YES.\n\nREFERENCES_LINK_SOURCE = YES\n\n# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the\n# source code will show a tooltip with additional information such as prototype,\n# brief description and links to the definition and documentation. Since this\n# will make the HTML file larger and loading of large files a bit slower, you\n# can opt to disable this feature.\n# The default value is: YES.\n# This tag requires that the tag SOURCE_BROWSER is set to YES.\n\nSOURCE_TOOLTIPS = YES\n\n# If the USE_HTAGS tag is set to YES then the references to source code will\n# point to the HTML generated by the htags(1) tool instead of doxygen built-in\n# source browser. The htags tool is part of GNU's global source tagging system\n# (see https://www.gnu.org/software/global/global.html). You will need version\n# 4.8.6 or higher.\n#\n# To use it do the following:\n# - Install the latest version of global\n# - Enable SOURCE_BROWSER and USE_HTAGS in the configuration file\n# - Make sure the INPUT points to the root of the source tree\n# - Run doxygen as normal\n#\n# Doxygen will invoke htags (and that will in turn invoke gtags), so these\n# tools must be available from the command line (i.e. in the search path).\n#\n# The result: instead of the source browser generated by doxygen, the links to\n# source code will now point to the output of htags.\n# The default value is: NO.\n# This tag requires that the tag SOURCE_BROWSER is set to YES.\n\nUSE_HTAGS = NO\n\n# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a\n# verbatim copy of the header file for each class for which an include is\n# specified. Set to NO to disable this.\n# See also: Section \\class.\n# The default value is: YES.\n\nVERBATIM_HEADERS = YES\n\n# If the CLANG_ASSISTED_PARSING tag is set to YES then doxygen will use the\n# clang parser (see:\n# http://clang.llvm.org/) for more accurate parsing at the cost of reduced\n# performance. This can be particularly helpful with template rich C++ code for\n# which doxygen's built-in parser lacks the necessary type information.\n# Note: The availability of this option depends on whether or not doxygen was\n# generated with the -Duse_libclang=ON option for CMake.\n# The default value is: NO.\n\nCLANG_ASSISTED_PARSING = NO\n\n# If clang assisted parsing is enabled and the CLANG_ADD_INC_PATHS tag is set to\n# YES then doxygen will add the directory of each input to the include path.\n# The default value is: YES.\n\nCLANG_ADD_INC_PATHS = YES\n\n# If clang assisted parsing is enabled you can provide the compiler with command\n# line options that you would normally use when invoking the compiler. Note that\n# the include paths will already be set by doxygen for the files and directories\n# specified with INPUT and INCLUDE_PATH.\n# This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES.\n\nCLANG_OPTIONS =\n\n# If clang assisted parsing is enabled you can provide the clang parser with the\n# path to the directory containing a file called compile_commands.json. This\n# file is the compilation database (see:\n# http://clang.llvm.org/docs/HowToSetupToolingForLLVM.html) containing the\n# options used when the source files were built. This is equivalent to\n# specifying the -p option to a clang tool, such as clang-check. These options\n# will then be passed to the parser. Any options specified with CLANG_OPTIONS\n# will be added as well.\n# Note: The availability of this option depends on whether or not doxygen was\n# generated with the -Duse_libclang=ON option for CMake.\n\nCLANG_DATABASE_PATH =\n\n#---------------------------------------------------------------------------\n# Configuration options related to the alphabetical class index\n#---------------------------------------------------------------------------\n\n# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all\n# compounds will be generated. Enable this if the project contains a lot of\n# classes, structs, unions or interfaces.\n# The default value is: YES.\n\nALPHABETICAL_INDEX = NO\n\n# In case all classes in a project start with a common prefix, all classes will\n# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag\n# can be used to specify a prefix (or a list of prefixes) that should be ignored\n# while generating the index headers.\n# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.\n\nIGNORE_PREFIX =\n\n#---------------------------------------------------------------------------\n# Configuration options related to the HTML output\n#---------------------------------------------------------------------------\n\n# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output\n# The default value is: YES.\n\nGENERATE_HTML = YES\n\n# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a\n# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of\n# it.\n# The default directory is: html.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_OUTPUT = html\n\n# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each\n# generated HTML page (for example: .htm, .php, .asp).\n# The default value is: .html.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_FILE_EXTENSION = .html\n\n# The HTML_HEADER tag can be used to specify a user-defined HTML header file for\n# each generated HTML page. If the tag is left blank doxygen will generate a\n# standard header.\n#\n# To get valid HTML the header file that includes any scripts and style sheets\n# that doxygen needs, which is dependent on the configuration options used (e.g.\n# the setting GENERATE_TREEVIEW). It is highly recommended to start with a\n# default header using\n# doxygen -w html new_header.html new_footer.html new_stylesheet.css\n# YourConfigFile\n# and then modify the file new_header.html. See also section \"Doxygen usage\"\n# for information on how to generate the default header that doxygen normally\n# uses.\n# Note: The header is subject to change so you typically have to regenerate the\n# default header when upgrading to a newer version of doxygen. For a description\n# of the possible markers and block names see the documentation.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_HEADER =\n\n# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each\n# generated HTML page. If the tag is left blank doxygen will generate a standard\n# footer. See HTML_HEADER for more information on how to generate a default\n# footer and what special commands can be used inside the footer. See also\n# section \"Doxygen usage\" for information on how to generate the default footer\n# that doxygen normally uses.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_FOOTER =\n\n# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style\n# sheet that is used by each HTML page. It can be used to fine-tune the look of\n# the HTML output. If left blank doxygen will generate a default style sheet.\n# See also section \"Doxygen usage\" for information on how to generate the style\n# sheet that doxygen normally uses.\n# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as\n# it is more robust and this tag (HTML_STYLESHEET) will in the future become\n# obsolete.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_STYLESHEET =\n\n# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined\n# cascading style sheets that are included after the standard style sheets\n# created by doxygen. Using this option one can overrule certain style aspects.\n# This is preferred over using HTML_STYLESHEET since it does not replace the\n# standard style sheet and is therefore more robust against future updates.\n# Doxygen will copy the style sheet files to the output directory.\n# Note: The order of the extra style sheet files is of importance (e.g. the last\n# style sheet in the list overrules the setting of the previous ones in the\n# list). For an example see the documentation.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_EXTRA_STYLESHEET =\n\n# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or\n# other source files which should be copied to the HTML output directory. Note\n# that these files will be copied to the base HTML output directory. Use the\n# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these\n# files. In the HTML_STYLESHEET file, use the file name only. Also note that the\n# files will be copied as-is; there are no commands or markers available.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_EXTRA_FILES =\n\n# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen\n# will adjust the colors in the style sheet and background images according to\n# this color. Hue is specified as an angle on a colorwheel, see\n# https://en.wikipedia.org/wiki/Hue for more information. For instance the value\n# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300\n# purple, and 360 is red again.\n# Minimum value: 0, maximum value: 359, default value: 220.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_COLORSTYLE_HUE = 220\n\n# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors\n# in the HTML output. For a value of 0 the output will use grayscales only. A\n# value of 255 will produce the most vivid colors.\n# Minimum value: 0, maximum value: 255, default value: 100.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_COLORSTYLE_SAT = 100\n\n# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the\n# luminance component of the colors in the HTML output. Values below 100\n# gradually make the output lighter, whereas values above 100 make the output\n# darker. The value divided by 100 is the actual gamma applied, so 80 represents\n# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not\n# change the gamma.\n# Minimum value: 40, maximum value: 240, default value: 80.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_COLORSTYLE_GAMMA = 80\n\n# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML\n# page will contain the date and time when the page was generated. Setting this\n# to YES can help to show when doxygen was last run and thus if the\n# documentation is up to date.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_TIMESTAMP = NO\n\n# If the HTML_DYNAMIC_MENUS tag is set to YES then the generated HTML\n# documentation will contain a main index with vertical navigation menus that\n# are dynamically created via JavaScript. If disabled, the navigation index will\n# consists of multiple levels of tabs that are statically embedded in every HTML\n# page. Disable this option to support browsers that do not have JavaScript,\n# like the Qt help browser.\n# The default value is: YES.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_DYNAMIC_MENUS = YES\n\n# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML\n# documentation will contain sections that can be hidden and shown after the\n# page has loaded.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_DYNAMIC_SECTIONS = NO\n\n# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries\n# shown in the various tree structured indices initially; the user can expand\n# and collapse entries dynamically later on. Doxygen will expand the tree to\n# such a level that at most the specified number of entries are visible (unless\n# a fully collapsed tree already exceeds this amount). So setting the number of\n# entries 1 will produce a full collapsed tree by default. 0 is a special value\n# representing an infinite number of entries and will result in a full expanded\n# tree by default.\n# Minimum value: 0, maximum value: 9999, default value: 100.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_INDEX_NUM_ENTRIES = 100\n\n# If the GENERATE_DOCSET tag is set to YES, additional index files will be\n# generated that can be used as input for Apple's Xcode 3 integrated development\n# environment (see:\n# https://developer.apple.com/xcode/), introduced with OSX 10.5 (Leopard). To\n# create a documentation set, doxygen will generate a Makefile in the HTML\n# output directory. Running make will produce the docset in that directory and\n# running make install will install the docset in\n# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at\n# startup. See https://developer.apple.com/library/archive/featuredarticles/Doxy\n# genXcode/_index.html for more information.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nGENERATE_DOCSET = NO\n\n# This tag determines the name of the docset feed. A documentation feed provides\n# an umbrella under which multiple documentation sets from a single provider\n# (such as a company or product suite) can be grouped.\n# The default value is: Doxygen generated docs.\n# This tag requires that the tag GENERATE_DOCSET is set to YES.\n\nDOCSET_FEEDNAME = \"Doxygen generated docs\"\n\n# This tag specifies a string that should uniquely identify the documentation\n# set bundle. This should be a reverse domain-name style string, e.g.\n# com.mycompany.MyDocSet. Doxygen will append .docset to the name.\n# The default value is: org.doxygen.Project.\n# This tag requires that the tag GENERATE_DOCSET is set to YES.\n\nDOCSET_BUNDLE_ID = org.doxygen.Project\n\n# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify\n# the documentation publisher. This should be a reverse domain-name style\n# string, e.g. com.mycompany.MyDocSet.documentation.\n# The default value is: org.doxygen.Publisher.\n# This tag requires that the tag GENERATE_DOCSET is set to YES.\n\nDOCSET_PUBLISHER_ID = org.doxygen.Publisher\n\n# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.\n# The default value is: Publisher.\n# This tag requires that the tag GENERATE_DOCSET is set to YES.\n\nDOCSET_PUBLISHER_NAME = Publisher\n\n# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three\n# additional HTML index files: index.hhp, index.hhc, and index.hhk. The\n# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop\n# (see:\n# https://www.microsoft.com/en-us/download/details.aspx?id=21138) on Windows.\n#\n# The HTML Help Workshop contains a compiler that can convert all HTML output\n# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML\n# files are now used as the Windows 98 help format, and will replace the old\n# Windows help format (.hlp) on all Windows platforms in the future. Compressed\n# HTML files also contain an index, a table of contents, and you can search for\n# words in the documentation. The HTML workshop also contains a viewer for\n# compressed HTML files.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nGENERATE_HTMLHELP = NO\n\n# The CHM_FILE tag can be used to specify the file name of the resulting .chm\n# file. You can add a path in front of the file if the result should not be\n# written to the html output directory.\n# This tag requires that the tag GENERATE_HTMLHELP is set to YES.\n\nCHM_FILE =\n\n# The HHC_LOCATION tag can be used to specify the location (absolute path\n# including file name) of the HTML help compiler (hhc.exe). If non-empty,\n# doxygen will try to run the HTML help compiler on the generated index.hhp.\n# The file has to be specified with full path.\n# This tag requires that the tag GENERATE_HTMLHELP is set to YES.\n\nHHC_LOCATION =\n\n# The GENERATE_CHI flag controls if a separate .chi index file is generated\n# (YES) or that it should be included in the main .chm file (NO).\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTMLHELP is set to YES.\n\nGENERATE_CHI = NO\n\n# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)\n# and project file content.\n# This tag requires that the tag GENERATE_HTMLHELP is set to YES.\n\nCHM_INDEX_ENCODING =\n\n# The BINARY_TOC flag controls whether a binary table of contents is generated\n# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it\n# enables the Previous and Next buttons.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTMLHELP is set to YES.\n\nBINARY_TOC = NO\n\n# The TOC_EXPAND flag can be set to YES to add extra items for group members to\n# the table of contents of the HTML help documentation and to the tree view.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTMLHELP is set to YES.\n\nTOC_EXPAND = NO\n\n# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and\n# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that\n# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help\n# (.qch) of the generated HTML documentation.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nGENERATE_QHP = NO\n\n# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify\n# the file name of the resulting .qch file. The path specified is relative to\n# the HTML output folder.\n# This tag requires that the tag GENERATE_QHP is set to YES.\n\nQCH_FILE =\n\n# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help\n# Project output. For more information please see Qt Help Project / Namespace\n# (see:\n# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#namespace).\n# The default value is: org.doxygen.Project.\n# This tag requires that the tag GENERATE_QHP is set to YES.\n\nQHP_NAMESPACE = org.doxygen.Project\n\n# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt\n# Help Project output. For more information please see Qt Help Project / Virtual\n# Folders (see:\n# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#virtual-folders).\n# The default value is: doc.\n# This tag requires that the tag GENERATE_QHP is set to YES.\n\nQHP_VIRTUAL_FOLDER = doc\n\n# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom\n# filter to add. For more information please see Qt Help Project / Custom\n# Filters (see:\n# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters).\n# This tag requires that the tag GENERATE_QHP is set to YES.\n\nQHP_CUST_FILTER_NAME =\n\n# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the\n# custom filter to add. For more information please see Qt Help Project / Custom\n# Filters (see:\n# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters).\n# This tag requires that the tag GENERATE_QHP is set to YES.\n\nQHP_CUST_FILTER_ATTRS =\n\n# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this\n# project's filter section matches. Qt Help Project / Filter Attributes (see:\n# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#filter-attributes).\n# This tag requires that the tag GENERATE_QHP is set to YES.\n\nQHP_SECT_FILTER_ATTRS =\n\n# The QHG_LOCATION tag can be used to specify the location (absolute path\n# including file name) of Qt's qhelpgenerator. If non-empty doxygen will try to\n# run qhelpgenerator on the generated .qhp file.\n# This tag requires that the tag GENERATE_QHP is set to YES.\n\nQHG_LOCATION =\n\n# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be\n# generated, together with the HTML files, they form an Eclipse help plugin. To\n# install this plugin and make it available under the help contents menu in\n# Eclipse, the contents of the directory containing the HTML and XML files needs\n# to be copied into the plugins directory of eclipse. The name of the directory\n# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.\n# After copying Eclipse needs to be restarted before the help appears.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nGENERATE_ECLIPSEHELP = NO\n\n# A unique identifier for the Eclipse help plugin. When installing the plugin\n# the directory name containing the HTML and XML files should also have this\n# name. Each documentation set should have its own identifier.\n# The default value is: org.doxygen.Project.\n# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.\n\nECLIPSE_DOC_ID = org.doxygen.Project\n\n# If you want full control over the layout of the generated HTML pages it might\n# be necessary to disable the index and replace it with your own. The\n# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top\n# of each HTML page. A value of NO enables the index and the value YES disables\n# it. Since the tabs in the index contain the same information as the navigation\n# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nDISABLE_INDEX = NO\n\n# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index\n# structure should be generated to display hierarchical information. If the tag\n# value is set to YES, a side panel will be generated containing a tree-like\n# index structure (just like the one that is generated for HTML Help). For this\n# to work a browser that supports JavaScript, DHTML, CSS and frames is required\n# (i.e. any modern browser). Windows users are probably better off using the\n# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can\n# further fine-tune the look of the index. As an example, the default style\n# sheet generated by doxygen has an example that shows how to put an image at\n# the root of the tree instead of the PROJECT_NAME. Since the tree basically has\n# the same information as the tab index, you could consider setting\n# DISABLE_INDEX to YES when enabling this option.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nGENERATE_TREEVIEW = NO\n\n# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that\n# doxygen will group on one line in the generated HTML documentation.\n#\n# Note that a value of 0 will completely suppress the enum values from appearing\n# in the overview section.\n# Minimum value: 0, maximum value: 20, default value: 4.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nENUM_VALUES_PER_LINE = 4\n\n# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used\n# to set the initial width (in pixels) of the frame in which the tree is shown.\n# Minimum value: 0, maximum value: 1500, default value: 250.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nTREEVIEW_WIDTH = 250\n\n# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to\n# external symbols imported via tag files in a separate window.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nEXT_LINKS_IN_WINDOW = NO\n\n# If the HTML_FORMULA_FORMAT option is set to svg, doxygen will use the pdf2svg\n# tool (see https://github.com/dawbarton/pdf2svg) or inkscape (see\n# https://inkscape.org) to generate formulas as SVG images instead of PNGs for\n# the HTML output. These images will generally look nicer at scaled resolutions.\n# Possible values are: png (the default) and svg (looks nicer but requires the\n# pdf2svg or inkscape tool).\n# The default value is: png.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nHTML_FORMULA_FORMAT = png\n\n# Use this tag to change the font size of LaTeX formulas included as images in\n# the HTML documentation. When you change the font size after a successful\n# doxygen run you need to manually remove any form_*.png images from the HTML\n# output directory to force them to be regenerated.\n# Minimum value: 8, maximum value: 50, default value: 10.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nFORMULA_FONTSIZE = 10\n\n# Use the FORMULA_TRANSPARENT tag to determine whether or not the images\n# generated for formulas are transparent PNGs. Transparent PNGs are not\n# supported properly for IE 6.0, but are supported on all modern browsers.\n#\n# Note that when changing this option you need to delete any form_*.png files in\n# the HTML output directory before the changes have effect.\n# The default value is: YES.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nFORMULA_TRANSPARENT = YES\n\n# The FORMULA_MACROFILE can contain LaTeX \\newcommand and \\renewcommand commands\n# to create new LaTeX commands to be used in formulas as building blocks. See\n# the section \"Including formulas\" for details.\n\nFORMULA_MACROFILE =\n\n# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see\n# https://www.mathjax.org) which uses client side JavaScript for the rendering\n# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX\n# installed or if you want to formulas look prettier in the HTML output. When\n# enabled you may also need to install MathJax separately and configure the path\n# to it using the MATHJAX_RELPATH option.\n# The default value is: NO.\n# This tag requires that the tag GENERATE_HTML is set to YES.\n\nUSE_MATHJAX = NO\n\n# When MathJax is enabled you can set the default output format to be used for\n# the MathJax output. See the MathJax site (see:\n# http://docs.mathjax.org/en/v2.7-latest/output.html) for more details.\n# Possible values are: HTML-CSS (which is slower, but has the best\n# compatibility), NativeMML (i.e. MathML) and SVG.\n# The default value is: HTML-CSS.\n# This tag requires that the tag USE_MATHJAX is set to YES.\n\nMATHJAX_FORMAT = HTML-CSS\n\n# When MathJax is enabled you need to specify the location relative to the HTML\n# output directory using the MATHJAX_RELPATH option. The destination directory\n# should contain the MathJax.js script. For instance, if the mathjax directory\n# is located at the same level as the HTML output directory, then\n# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax\n# Content Delivery Network so you can quickly see the result without installing\n# MathJax. However, it is strongly recommended to install a local copy of\n# MathJax from https://www.mathjax.org before deployment.\n# The default value is: https://cdn.jsdelivr.net/npm/mathjax@2.\n# This tag requires that the tag USE_MATHJAX is set to YES.\n\nMATHJAX_RELPATH = https://cdn.jsdelivr.net/npm/mathjax@2\n\n# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax\n# extension names that should be enabled during MathJax rendering. For example\n# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols\n# This tag requires that the tag USE_MATHJAX is set to YES.\n\nMATHJAX_EXTENSIONS =\n\n# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces\n# of code that will be used on startup of the MathJax code. See the MathJax site\n# (see:\n# http://docs.mathjax.org/en/v2.7-latest/output.html) for more details. For an\n# example see the documentation.\n# This tag requires that the tag USE_MATHJAX is set to YES.\n\nMATHJAX_CODEFILE =\n\n# When the SEARCHENGINE tag is enabled doxygen will generate a search box for\n# the HTML output. The underlying search engine uses javascript and DHTML and\n# should work on any modern browser. Note that when using HTML help\n# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)\n# there is already a search function so this one should typically be disabled.\n# For large projects the javascript based search engine can be slow, then\n# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to\n# search using the keyboard; to jump to the search box use + S\n# (what the is depends on the OS and browser, but it is typically\n# , /