Skip to content
GitLab
Commits (70)
Show whitespace changes
Inline Side-by-side
.git-blame-ignore-revs 0 → 100644
View file @ e1e1377b
# This FILE allows git blame to ignore reformatting changes and instead
# shows the previous commit that changed the line.
#
# To avoid manually building the list of commits this commit
# adds a file with a list of reformatting commits. TO use:
#
# git blame --ignore-revs-file=.git-blame-ignore-revs file
#
# or to automatically always use the file
#
# git config blame.ignoreRevsFile .git-blame-ignore-revs
# Uncrustify 2020/06... (engine, pool, SSO)
c1ff8f247f91c88a2df5502eeedf42857f9a6831
# Uncrustify the tests/unit_tests/ part of our tree.
da1574ef7826d73f01e120cbd1ba40ce39a305b7
# Another round of uncrustify code cleanup.
9cf7b4925a54d93fbea1cadcf3dc0e11f3ce358f
# networking_sitnl.c: uncrustify file
2c45d268ca65c522fbabb7c4dab5e721296b4623
# Uncrustify tapctl and openvpnmsica
6280d3d5536174934ee22d3840457d61896e0e3a
# tun.c: uncrustify
baef44fc8769bbd99f4d699ce9f63180c29a5455
# networking_sitnl.c: uncrustify file
2c45d268ca65c522fbabb7c4dab5e721296b4623
# uncrustify openvpn sources
f57431cdc88f22fa4d7962946f0d3187fe058539
# More broadly enforce Allman style and braces-around-conditionals
4cd4899e8e80efae03c584a760fd107251735723
# The Great Reformatting - first phase
81d882d5302b8b647202a6893b57dfdc61fd6df2
# Fix trailing-whitespace errors in last patch.
3282632d9325267c850072db7545a884a1637f51
# The Great Reformatting of 2022
abe49856d81f51136d543539202a0bf8fb946474
.github/PULL_REQUEST_TEMPLATE.md 0 → 100644
View file @ e1e1377b
# Thank you for your contribution
You are welcome to open PR, but they are used for discussion only. All
patches must eventually go to the openvpn-devel mailing list for review:
* https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Please send your patch using [git-send-email](https://git-scm.com/docs/git-send-email). For example to send your latest commit to the list:
$ git send-email --to=openvpn-devel@lists.sourceforge.net HEAD~1
For details, see these Wiki articles:
* https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation
* https://community.openvpn.net/openvpn/wiki/Contributing
.github/workflows/build.yaml 0 → 100644
View file @ e1e1377b
# The name of our workflow
name: Build
on: [push, pull_request]
jobs:
checkuncrustify:
name: "Check code style with Uncrustify"
# Ubuntu 22.04 has uncrustify 0.72_f
runs-on: ubuntu-22.04
steps:
- name: Install dependencies
run: sudo apt update && sudo apt install -y uncrustify
- name: Checkout OpenVPN
uses: actions/checkout@v2
with:
path: openvpn
- name: Show uncrustify version
run: uncrustify --version
- name: Run uncrustify
run: ./dev-tools/reformat-all.sh
working-directory: openvpn
- name: Check for changes
run: git diff --output=uncrustify-changes.patch
working-directory: openvpn
- name: Show changes on standard output
run: git diff
working-directory: openvpn
- uses: actions/upload-artifact@v2
with:
name: uncrustify-changes.patch
path: 'openvpn/uncrustify-changes.patch'
- name: Set job status
run: test ! -s uncrustify-changes.patch
working-directory: openvpn
mingw:
strategy:
fail-fast: false
matrix:
include:
- target: mingw64
chost: x86_64-w64-mingw32
- target: mingw
chost: i686-w64-mingw32
name: "gcc-mingw - ${{matrix.target}}"
runs-on: ubuntu-20.04
env:
MAKEFLAGS: -j3
LZO_VERSION: "2.10"
PKCS11_HELPER_VERSION: "1.29.0"
OPENSSL_VERSION: "1.1.1n"
TAP_WINDOWS_VERSION: "9.23.3"
CHOST: ${{ matrix.chost }}
TARGET: ${{ matrix.target }}
steps:
- name: Install dependencies
run: sudo apt update && sudo apt install -y mingw-w64 libtool automake autoconf man2html unzip
- name: Checkout OpenVPN
uses: actions/checkout@v2
with:
path: openvpn
- name: autoconf
run: autoreconf -fvi
working-directory: openvpn
- name: Cache dependencies
id: cache
uses: actions/cache@v2
with:
path: '~/mingw/'
key: ${{ matrix.target }}-mingw-${{ env.OPENSSL_VERSION }}-${{ env.LZO_VERSION }}-${{ env.PKCS11_HELPER_VERSION }}-${{ env.TAP_WINDOWS_VERSION }}
# Repeating if: steps.cache.outputs.cache-hit != 'true'
# on every step for building dependencies is ugly but
# I haven't found a better solution so far.
- name: Download mingw dependencies
if: steps.cache.outputs.cache-hit != 'true'
run: |
wget -c -P download-cache/ "https://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip"
wget -c -P download-cache/ "https://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz"
wget -c -P download-cache/ "https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${PKCS11_HELPER_VERSION}/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2"
wget -c -P download-cache/ "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz"
tar jxf "download-cache/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2"
tar zxf "download-cache/openssl-${OPENSSL_VERSION}.tar.gz"
tar zxf "download-cache/lzo-${LZO_VERSION}.tar.gz"
unzip download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip
- name: Configure OpenSSL
if: steps.cache.outputs.cache-hit != 'true'
run: ./Configure --cross-compile-prefix=${CHOST}- shared ${{ matrix.target }} no-capieng --prefix="${HOME}/mingw/opt" --openssldir="${HOME}/mingw/opt" -static-libgcc
working-directory: "./openssl-${{ env.OPENSSL_VERSION }}"
- name: Build OpenSSL
if: steps.cache.outputs.cache-hit != 'true'
run: make
working-directory: "./openssl-${{ env.OPENSSL_VERSION }}"
- name: Install OpenSSL
if: steps.cache.outputs.cache-hit != 'true'
run: make install
working-directory: "./openssl-${{ env.OPENSSL_VERSION }}"
- name: autoreconf pkcs11-helper
if: steps.cache.outputs.cache-hit != 'true'
run: autoreconf -iv
working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}"
- name: configure pkcs11-helper
if: steps.cache.outputs.cache-hit != 'true'
run: OPENSSL_LIBS="-L${HOME}/mingw/opt/lib -lssl -lcrypto" OPENSSL_CFLAGS=-I$HOME/mingw/opt/include PKG_CONFIG_PATH=${HOME}/mingw/opt/lib/pkgconfig ./configure --host=${CHOST} --program-prefix='' --libdir=${HOME}/mingw/opt/lib --prefix=${HOME}/mingw/opt --build=x86_64-pc-linux-gnu --disable-crypto-engine-gnutls --disable-crypto-engine-nss --disable-crypto-engine-polarssl --disable-crypto-engine-mbedtls
working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}"
- name: build pkcs11-helper
if: steps.cache.outputs.cache-hit != 'true'
run: make all
working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}"
- name: install pkcs11-helper
if: steps.cache.outputs.cache-hit != 'true'
run: make install
working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}"
- name: Configure lzo
if: steps.cache.outputs.cache-hit != 'true'
run: ./configure --host=${CHOST} --program-prefix='' --libdir=${HOME}/mingw/opt/lib --prefix=${HOME}/mingw/opt --build=x86_64-pc-linux-gnu
working-directory: "./lzo-${{ env.LZO_VERSION }}"
- name: build lzo
if: steps.cache.outputs.cache-hit != 'true'
working-directory: "./lzo-${{ env.LZO_VERSION }}"
run: make
- name: install lzo
if: steps.cache.outputs.cache-hit != 'true'
working-directory: "./lzo-${{ env.LZO_VERSION }}"
run: make install
- name: copy tap-windows.h header
if: steps.cache.outputs.cache-hit != 'true'
run: cp ./tap-windows-${TAP_WINDOWS_VERSION}/include/tap-windows.h ${HOME}/mingw/opt/include/
- name: configure OpenVPN
run: PKG_CONFIG_PATH=${HOME}/mingw/opt/lib/pkgconfig LDFLAGS=-L$HOME/mingw/opt/lib CFLAGS=-I$HOME/mingw/opt/include OPENSSL_LIBS="-L${HOME}/opt/lib -lssl -lcrypto" OPENSSL_CFLAGS=-I$HOME/mingw/opt/include PREFIX=$HOME/mingw/opt LZO_CFLAGS=-I$HOME/mingw/opt/include LZO_LIBS="-L${HOME}/mingw/opt/lib -llzo2" ./configure --host=${CHOST} --disable-lz4 --enable-dco
working-directory: openvpn
- name: build OpenVPN
run: make -j3
working-directory: openvpn
ubuntu:
strategy:
fail-fast: false
matrix:
os: [ubuntu-18.04, ubuntu-20.04, ubuntu-22.04]
sslpkg: [libmbedtls-dev]
ssllib: [mbedtls]
libname: [mbed TLS]
include:
- os: ubuntu-18.04
sslpkg: "libssl1.0-dev"
ssllib: openssl
libname: OpenSSL 1.0.2
- os: ubuntu-18.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
- os: ubuntu-20.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
- os: ubuntu-22.04
sslpkg: "libssl-dev"
libname: OpenSSL 3.0.2
ssllib: openssl
- os: ubuntu-20.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
extraconf: "--enable-iproute2"
- os: ubuntu-20.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
extraconf: "--enable-async-push"
- os: ubuntu-20.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
extraconf: "--disable-management"
- os: ubuntu-20.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
extraconf: "--enable-small"
- os: ubuntu-20.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
extraconf: "--disable-lzo --disable-lz4"
- os: ubuntu-20.04
sslpkg: "libssl-dev"
libname: OpenSSL 1.1.1
ssllib: openssl
extraconf: "--enable-dco"
nlpkg: "libnl-genl-3-dev"
name: "gcc - ${{matrix.os}} - ${{matrix.libname}} ${{matrix.extraconf}}"
env:
SSLPKG: "${{matrix.sslpkg}}"
NLPKG: "${{matrix.nlpkg}}"
runs-on: ${{matrix.os}}
steps:
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} ${NLPKG}
- name: Checkout OpenVPN
uses: actions/checkout@v2
- name: autoconf
run: autoreconf -fvi
- name: configure
run: ./configure --with-crypto-library=${{matrix.ssllib}} ${{matrix.extraconf}} --enable-werror
- name: make all
run: make -j3
- name: make check
run: make check
ubuntu-clang-asan:
strategy:
fail-fast: false
matrix:
os: [ubuntu-20.04]
ssllib: [mbedtls, openssl]
name: "clang-asan - ${{matrix.os}} - ${{matrix.ssllib}}"
runs-on: ${{matrix.os}}
steps:
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev
- name: Checkout OpenVPN
uses: actions/checkout@v2
- name: autoconf
run: autoreconf -fvi
- name: configure
run: CFLAGS="-fsanitize=address -fno-omit-frame-pointer -O2" CC=clang ./configure --with-crypto-library=${{matrix.ssllib}}
- name: make all
run: make -j3
- name: make check
run: make check
macos:
runs-on: macos-latest
strategy:
fail-fast: false
matrix:
ossl: [ 1.1, 3 ]
build: [ normal, asan ]
include:
- build: asan
cflags: "-fsanitize=address -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1"
ldflags: -fsanitize=address
# Our build system ignores LDFLAGS for plugins
configureflags: --disable-plugin-auth-pam --disable-plugin-down-root
- build: normal
cflags: "-O2 -g"
ldflags: ""
configureflags: ""
name: "macOS - OpenSSL ${{matrix.ossl}} - ${{matrix.build}}"
env:
CFLAGS: ${{ matrix.cflags }}
LDFLAGS: ${{ matrix.ldflags }}
OPENSSL_CFLAGS: -I/usr/local/opt/openssl@${{matrix.ossl}}/include
OPENSSL_LIBS: "-L/usr/local/opt/openssl@${{matrix.ossl}}/lib -lcrypto -lssl"
steps:
- name: Install dependencies
run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf
- name: Checkout OpenVPN
uses: actions/checkout@v2
- name: autoconf
run: autoreconf -fvi
- name: configure
run: ./configure ${{matrix.configureflags}}
- name: make all
run: make -j4
- name: make check
run: make check
msvc:
strategy:
fail-fast: false
matrix:
plat: [ARM64, Win32, x64]
include:
- plat: ARM64
triplet: arm64
- plat: Win32
triplet: x86
- plat: x64
triplet: x64
name: "msbuild - ${{matrix.triplet}} - openssl"
env:
BUILD_CONFIGURATION: Release
VCPKG_OVERLAY_PORTS: ${{ github.workspace }}/contrib/vcpkg-ports
VCPKG_OVERLAY_TRIPLETS: ${{ github.workspace }}/contrib/vcpkg-triplets
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install rst2html
run: python -m pip install --upgrade pip rst2html
- name: Restore artifacts, or setup vcpkg (do not install any package)
uses: lukka/run-vcpkg@v10
with:
vcpkgGitCommitId: '4b766c1cd17205e1b768c4fadfd5f867c1d0510e'
appendedCacheKey: '${{matrix.triplet}}'
- name: Run MSBuild consuming vcpkg.json
working-directory: ${{env.GITHUB_WORKSPACE}}
run: |
vcpkg integrate install
msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform="${{ matrix.plat }}" .
- name: Archive artifacts
uses: actions/upload-artifact@v2
with:
name: artifacts-${{ matrix.plat }}
path: |
${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.exe
${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.dll
${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.pdb
doc/openvpn.8.html
.gitignore
View file @ e1e1377b
...@@ -34,7 +34,6 @@ config.sub ...@@ -34,7 +34,6 @@ config.sub
configure configure
configure.h configure.h
depcomp depcomp
doxygen/
stamp-h1 stamp-h1
install-sh install-sh
missing missing
...@@ -45,12 +44,19 @@ m4/ltoptions.m4 ...@@ -45,12 +44,19 @@ m4/ltoptions.m4
m4/ltsugar.m4 m4/ltsugar.m4
m4/ltversion.m4 m4/ltversion.m4
m4/lt~obsolete.m4 m4/lt~obsolete.m4
vcpkg_installed
version.sh version.sh
msvc-env-local.bat msvc-env-local.bat
config-msvc-local.h config-msvc-local.h
config-msvc-version.h config-msvc-version.h
doc/openvpn-examples.5
doc/openvpn-examples.5.html
doc/openvpn.8
doc/openvpn.8.html doc/openvpn.8.html
/doc/doxygen/html/
/doc/doxygen/latex/
/doc/doxygen/openvpn.doxyfile
distro/systemd/*.service distro/systemd/*.service
sample/sample-keys/sample-ca/ sample/sample-keys/sample-ca/
vendor/cmocka_build vendor/cmocka_build
......
.gitlab-ci.yml 0 → 100644
View file @ e1e1377b
stages:
- test
variables:
JOBS: 3
PREFIX: ${CI_PROJECT_DIR}/builds
TAP_WINDOWS_VERSION: 9.24.6
LZO_VERSION: "2.10"
PKCS11_HELPER_VERSION: "1.22"
MBEDTLS_VERSION: "2.26.0"
MBEDTLS_CFLAGS: -I${CI_PROJECT_DIR}/builds/include
MBEDTLS_LIBS: -L${CI_PROJECT_DIR}/builds/lib -lmbedtls -lmbedx509 -lmbedcrypto
OPENSSL_VERSION: 1.1.1m
OPENSSL_CFLAGS: -I${CI_PROJECT_DIR}/builds/include
OPENSSL_LIBS: -L${CI_PROJECT_DIR}/builds/lib -lssl -lcrypto
SSLLIB: "openssl"
default:
image: gcc:latest
before_script:
- apt-get update -qq && apt-get install -y -qq liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html build-essential python
- .gitlab/build-deps.sh
cache:
key: ${CI_JOB_NAME}
paths:
- download-cache/
- ${PREFIX}/
dco:
variables:
EXTRA_CONFIG: "--enable-dco"
before_script:
- apt-get update -qq && apt-get install -y -qq liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html build-essential python libnl-genl-3-dev
- .gitlab/build-deps.sh
script:
- .gitlab/build-check.sh
mtls-latest:
variables:
SSLLIB: "mbedtls"
script:
- .gitlab/build-check.sh
mtls-2_16_11:
variables:
MBEDTLS_VERSION: "2.16.11"
SSLLIB: "mbedtls"
script:
- .gitlab/build-check.sh
mtls-2_7_19:
variables:
MBEDTLS_VERSION: "2.7.19"
SSLLIB: "mbedtls"
script:
- .gitlab/build-check.sh
ossl:
variables:
SSLLIB: "openssl"
EXTRA_SCRIPT: "make distcheck"
artifacts:
paths:
- src/openvpn/openvpn
before_script:
- apt-get update -qq && apt-get install -y -qq liblzo2-dev libpam0g-dev liblz4-dev build-essential unzip python3-docutils libssl-dev
script:
- .gitlab/build-check.sh
ossl-gcc9:
image: gcc:9
script:
- .gitlab/build-check.sh
ossl-fedora-latest:
image: fedora:latest
before_script:
- yum -y install libtool openssl-devel lzo-devel pam-devel lz4-devel man2html python gcc make autoconf automake wget
script:
- .gitlab/build-check.sh
ossl-rockylinux-latest:
image: rockylinux:latest
before_script:
- yum -y install epel-release
- yum -y install libtool openssl-devel lzo-devel pam-devel lz4-devel man2html python39 gcc make autoconf automake wget
script:
- .gitlab/build-check.sh
ossl-1_1_0:
variables:
OPENSSL_VERSION: "1.1.0l"
script:
- .gitlab/build-check.sh
ossl-1_0_2:
variables:
OPENSSL_VERSION: "1.0.2u"
script:
- .gitlab/build-check.sh
#ossl-sanitizeaddr:
# variables:
# CFLAGS: "-fsanitize=address"
# script:
# - .gitlab/build-check.sh
ossl-sanitizeleak:
variables:
CFLAGS: "-fsanitize=leak"
script:
- .gitlab/build-check.sh
ossl-sanitizeundef:
variables:
CFLAGS: "-fsanitize=undefined"
script:
- .gitlab/build-check.sh
ossl-win64:
variables:
CHOST: "x86_64-w64-mingw32"
EXTRA_CONFIG: "--disable-lz4"
artifacts:
paths:
- src/openvpn/openvpn.exe
name: "openvpn_win64-${CI_COMMIT_REF_SLUG}"
before_script:
- apt-get update -qq && apt-get install -y -qq liblzo2-dev libpam0g-dev build-essential mingw-w64 unzip man2html
- .gitlab/build-deps.sh
script:
- .gitlab/build-check.sh
ossl-win32:
variables:
CHOST: "i686-w64-mingw32"
EXTRA_CONFIG: "--disable-lz4"
before_script:
- apt-get update -qq && apt-get install -y -qq liblzo2-dev libpam0g-dev build-essential mingw-w64 unzip man2html
- .gitlab/build-deps.sh
script:
- .gitlab/build-check.sh
mtls-iproute2:
variables:
SSLLIB: "mbedtls"
EXTRA_CONFIG: "--enable-iproute2"
before_script:
- apt-get update -qq && apt-get install -y -qq liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html build-essential iproute2 python
- .gitlab/build-deps.sh
script:
- .gitlab/build-check.sh
ossl-nolzo:
before_script:
- apt-get update -qq && apt-get install -y -qq libpam0g-dev liblz4-dev build-essential unzip
- .gitlab/build-deps.sh
variables:
EXTRA_CONFIG: "--disable-lzo"
script:
- .gitlab/build-check.sh
ossl-small:
variables:
EXTRA_CONFIG: "--enable-small"
script:
- .gitlab/build-check.sh
ossl-asyncpush:
variables:
EXTRA_CONFIG: "--enable-async-push"
script:
- .gitlab/build-check.sh
ossl-no-mgmt:
variables:
EXTRA_CONFIG: "--disable-management"
script:
- .gitlab/build-check.sh
.gitlab/build-check.sh 0 → 100755
View file @ e1e1377b
#!/bin/sh
set -eux
export LD_LIBRARY_PATH="${PREFIX}/lib:${LD_LIBRARY_PATH:-}"
autoreconf -vi
if [ -z ${CHOST+x} ]; then
./configure --with-crypto-library="${SSLLIB}" ${EXTRA_CONFIG:-} || (cat config.log && exit 1)
make -j$JOBS
src/openvpn/openvpn --version || true
ldd src/openvpn/openvpn
make check
${EXTRA_SCRIPT:-}
else
export TAP_CFLAGS="-I${PWD}/tap-windows-${TAP_WINDOWS_VERSION}/include"
export LZO_CFLAGS="-I${PREFIX}/include"
export LZO_LIBS="-L${PREFIX}/lib -llzo2"
export PKCS11_HELPER_LIBS="-L${PREFIX}/lib -lpkcs11-helper"
export PKCS11_HELPER_CFLAGS="-I${PREFIX}/include"
./configure --with-crypto-library="${SSLLIB}" --host=${CHOST} --build=x86_64-pc-linux-gnu --enable-pkcs11 --disable-plugins ${EXTRA_CONFIG:-} || (cat config.log && exit 1)
make -j${JOBS}
fi
.gitlab/build-deps.sh 0 → 100755
View file @ e1e1377b
#!/bin/sh
set -eux
# Set defaults
PREFIX="${PREFIX:-${HOME}/opt}"
download_tap_windows () {
if [ ! -f "download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip" ]; then
wget -P download-cache/ \
"http://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip"
fi
}
download_lzo () {
if [ ! -f "download-cache/lzo-${LZO_VERSION}.tar.gz" ]; then
wget -P download-cache/ \
"http://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz"
fi
}
build_lzo () {
if [ "$(cat ${PREFIX}/.lzo-version)" != "${LZO_VERSION}" ]; then
tar zxf download-cache/lzo-${LZO_VERSION}.tar.gz
(
cd "lzo-${LZO_VERSION}"
./configure --host=${CHOST} --program-prefix='' \
--libdir=${PREFIX}/lib --prefix=${PREFIX} --build=x86_64-pc-linux-gnu
make all install
)
echo "${LZO_VERSION}" > "${PREFIX}/.lzo-version"
fi
}
download_pkcs11_helper () {
if [ ! -f "pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2" ]; then
wget -P download-cache/ \
"https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${PKCS11_HELPER_VERSION}/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2"
fi
}
build_pkcs11_helper () {
if [ "$(cat ${PREFIX}/.pkcs11_helper-version)" != "${PKCS11_HELPER_VERSION}" ]; then
tar jxf download-cache/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2
(
cd "pkcs11-helper-${PKCS11_HELPER_VERSION}"
./configure --host=${CHOST} --program-prefix='' --libdir=${PREFIX}/lib \
--prefix=${PREFIX} --build=x86_64-pc-linux-gnu \
--disable-crypto-engine-gnutls \
--disable-crypto-engine-nss \
--disable-crypto-engine-polarssl \
--disable-crypto-engine-mbedtls
make all install
)
echo "${PKCS11_HELPER_VERSION}" > "${PREFIX}/.pkcs11_helper-version"
fi
}
download_mbedtls () {
if [ ! -f "download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz" ]; then
wget "https://github.com/ARMmbed/mbedtls/archive/refs/tags/v${MBEDTLS_VERSION}.tar.gz" \
-O download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz
fi
}
build_mbedtls () {
if [ "$(cat ${PREFIX}/.mbedtls-version)" != "${MBEDTLS_VERSION}" ]; then
tar zxf download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz
(
cd "mbedtls-${MBEDTLS_VERSION}"
make
make install DESTDIR="${PREFIX}"
)
echo "${MBEDTLS_VERSION}" > "${PREFIX}/.mbedtls-version"
fi
}
download_openssl () {
if [ ! -f "download-cache/openssl-${OPENSSL_VERSION}.tar.gz" ]; then
wget -P download-cache/ \
"https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz"
fi
}
build_openssl_linux () {
(
cd "openssl-${OPENSSL_VERSION}/"
./config shared --prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY
make all install_sw
)
}
build_openssl_osx () {
(
cd "openssl-${OPENSSL_VERSION}/"
./Configure darwin64-x86_64-cc shared \
--prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY
make depend all install_sw
)
}
build_openssl_mingw () {
(
cd "openssl-${OPENSSL_VERSION}/"
if [ "${CHOST}" = "i686-w64-mingw32" ]; then
export TARGET=mingw
elif [ "${CHOST}" = "x86_64-w64-mingw32" ]; then
export TARGET=mingw64
fi
./Configure --cross-compile-prefix=${CHOST}- shared \
${TARGET} no-capieng --prefix="${PREFIX}" --openssldir="${PREFIX}" -static-libgcc
make install
)
}
build_openssl () {
if [ "$(cat ${PREFIX}/.openssl-version)" != "${OPENSSL_VERSION}" ]; then
tar zxf "download-cache/openssl-${OPENSSL_VERSION}.tar.gz"
if [ ! -z ${CHOST+x} ]; then
build_openssl_mingw
else
build_openssl_linux
fi
echo "${OPENSSL_VERSION}" > "${PREFIX}/.openssl-version"
fi
}
mkdir -p ${PREFIX}
mkdir -p download-cache
# Download and build crypto lib
if [ "${SSLLIB}" = "openssl" ]; then
download_openssl
build_openssl
elif [ "${SSLLIB}" = "mbedtls" ]; then
download_mbedtls
build_mbedtls
else
echo "Invalid crypto lib: ${SSLLIB}"
exit 1
fi
# Download and build dependencies for mingw cross build
# dependencies are the same as in regular windows installer build
if [ ! -z ${CHOST+x} ]; then
download_tap_windows
unzip download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip
download_lzo
build_lzo
download_pkcs11_helper
build_pkcs11_helper
fi
.mailmap 0 → 100644
View file @ e1e1377b
Adriaan de Jong <dejong@fox-it.com> <adriaan@adriaan-VirtualBox.(none)>
David Sommerseth <dazo@eurephia.net> <dazo@users.sourceforge.net>
Gert Doering <gert@greenie.muc.de> <gd@medat.de>
Gert Doering <gert@greenie.muc.de> <gert@fbsd74.ov.greenie.net>
Gert Doering <gert@greenie.muc.de> <gert@fbsd90.ov.greenie.net>
Gert Doering <gert@greenie.muc.de> <gert@mobile.greenie.muc.de>
James Yonan <james@openvpn.net> <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
Jan Just Keijser <janjust@nikhef.nl> <janjust@nikhef.nl>
JuanJo Ciarlante <jjo@google.com> <jjo+ml@google.com>
Karl O. Pinc <kop@meme.com> <kop@mofo.meme.com>
Robert Fischer <ml-openvpn@trispace.org> <ml-openvpn@trispace.org>
Samuli Seppänen <samuli@openvpn.net> <samuli@openvpn.net>
Seth Mos <seth.mos@dds.nl> <seth.mos@dds.nl>
.svncommitters 0 → 100644
View file @ e1e1377b
james = James Yonan <james@openvpn.net>
.travis.yml 0 → 100644
View file @ e1e1377b
dist: bionic
os: linux
language: c
env:
global:
- JOBS=3
- RUN_SUDO="false"
- PREFIX="${HOME}/opt"
- TAP_WINDOWS_VERSION=9.23.3
- LZO_VERSION=2.10
- PKCS11_HELPER_VERSION=1.26
- MBEDTLS_VERSION=2.16.4
- MBEDTLS_CFLAGS="-I${PREFIX}/include"
- MBEDTLS_LIBS="-L${PREFIX}/lib -lmbedtls -lmbedx509 -lmbedcrypto"
- OPENSSL_VERSION=1.0.2u
- OPENSSL_CFLAGS="-I${PREFIX}/include"
- OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto"
# The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
# via the "travis encrypt" command using the project repo's public key
- secure: "l9mSnEW4LJqjxftH5i1NdDaYfGmQB1mPXnSB3DXnsjzkCWZ+yJLfBemfQ0tx/wS7chBYxqUaUIMT0hw4zJVp/LANFJo2vfh//ymTS6h0uApRY1ofg9Pp1BFcV1laG6/u8pwSZ2EBy/GhCd3DS436oE8sYBRaFM9FU62L/oeQBfJ7r4ID/0eB1b8bqlbD4paty9MHui2P8EZJwR+KAD84prtfpZOcrSMxPh9OUhJxzxUvvVoP4s4+lZ5Kgg1bBQ3yzKGDqe8VOgK2BWCEuezqhMMc8oeKmAe7CUkoz5gsGYH++k3I9XzP9Z4xeJKoQnC/82qi4xkJmlaOxdionej9bHIcjfRt7D8j1J0U+wOj4p8VrDy7yHaxuN2fi0K5MGa/CaXQSrkna8dePniCng+xQ2MY/zxuRX2gA6xPNLUyQLU9LqIug7wj4z84Hk9iWib4L20MoPjeEo+vAUNq8FtjOPxMuHNpv4iGGx6kgJm7RXl5vC5hxfK6MprrnYe2U5Mcd8jpzagKBaKHL3zV2FxX9k0jRO9Mccz7M2WnaV0MQ6zcngzTN4+s0kCjhfGKd2F2ANT2Gkhj3Me36eNHfuE0dBbvYCMh4b3Mgd7b/OuXwQWdJ8PjJ1WHXjSOw5sHw1suaV6cEO2Meyz5j1tOkyOi0M9QF+LFenQ9vLH4sBCww8U="
jobs:
include:
- name: cl
env:
- SSLLIB="openssl"
- OPENSSL_VERSION="1.1.1d"
- P7Z="c:\Program Files\7-Zip\7z.exe"
- CC="cl"
os: windows
compiler: cl
- name: Coverity scan
env: SSLLIB="openssl" RUN_COVERITY="1"
os: linux
compiler: gcc
- name: gcc | openssl-1.1.1d
env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d"
os: linux
arch: amd64
compiler: gcc
- name: gcc | openssl-1.1.1d
env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d"
os: linux
arch: ppc64le
compiler: gcc
- name: gcc | openssl-1.1.1d
env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d"
os: linux
arch: arm64
compiler: gcc
- name: gcc | openssl-1.1.1d
env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d"
os: linux
arch: s390x
compiler: gcc
- name: gcc | openssl-1.0.2u | iproute2
env: SSLLIB="openssl" EXTRA_CONFIG="--enable-iproute2"
os: linux
compiler: gcc
- name: clang+asan | openssl-1.0.2u
env: SSLLIB="openssl" CFLAGS="-fsanitize=address" CC=clang-9
os: linux
compiler: clang
- name: clang | openssl-1.1.1d
env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d" CC=clang-9
os: linux
compiler: clang
- name: gcc | mbedtls
env: SSLLIB="mbedtls"
os: linux
compiler: gcc
- name: clang+asan | mbedtls
env: SSLLIB="mbedtls" CFLAGS="-fsanitize=address" CC=clang-9
os: linux
compiler: clang
- name: clang | openssl-1.0.2u
env: SSLLIB="openssl"
os: osx
compiler: clang
- name: clang | mbedtls
env: SSLLIB="mbedtls"
os: osx
compiler: clang
- name: mingw64 | openssl-1.1.1d
env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.1.1d"
os: linux
compiler: ": Win64 build only"
- name: mingw32 | openssl-1.0.2u
env: SSLLIB="openssl" CHOST=i686-w64-mingw32
os: linux
compiler: ": Win32 build only"
- name: clang | openssl-1.0.2u | disable-lzo | distcheck
env: SSLLIB="openssl" EXTRA_CONFIG="--disable-lzo" EXTRA_SCRIPT="make distcheck" CC=clang-9
os: linux
compiler: clang
- name: clang | openssl-1.0.2u | enable-small
env: SSLLIB="openssl" EXTRA_CONFIG="--enable-small" CC=clang-9
os: linux
compiler: clang
addons:
apt:
update: true
packages: [ liblzo2-dev, libpam0g-dev, liblz4-dev, linux-libc-dev, man2html, mingw-w64, clang-9, libcmocka-dev, python3-docutils ]
homebrew:
update: true
packages: [ lzo, lz4, cmocka ]
cache:
directories:
- download-cache
- ${HOME}/opt
- ${HOME}/Library/Caches/Homebrew
install:
- if [ ! -z "${CHOST}" ]; then unset CC; fi
- travis_wait 30 bash -c '.travis/build-deps.sh > build-deps.log 2>&1' || (cat build-deps.log && exit 1)
before_script:
- .travis/coverity.sh
script:
- .travis/build-check.sh
.travis/build-check.sh 0 → 100755
View file @ e1e1377b
#!/bin/sh
set -eux
if [ "${TRAVIS_OS_NAME}" = "windows" ]; then
PATH="/c/Program Files (x86)/Microsoft Visual Studio/2019/BuildTools/MSBuild/Current/Bin/":$PATH
MSBuild.exe openvpn.sln //p:Platform=x64 && exit 0
fi
autoreconf -vi
if [ -z ${CHOST+x} ]; then
if [ "${TRAVIS_OS_NAME}" = "linux" ]; then
export EXTRA_CONFIG="${EXTRA_CONFIG:-} --enable-werror"
fi
./configure --with-crypto-library="${SSLLIB}" ${EXTRA_CONFIG:-} || (cat config.log && exit 1)
make LDFLAGS="-Wl,-rpath,${PREFIX}/lib" -j$JOBS
src/openvpn/openvpn --version || true
if [ "${TRAVIS_OS_NAME}" = "linux" ]; then
ldd src/openvpn/openvpn;
fi
if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L src/openvpn/openvpn; fi
make check
${EXTRA_SCRIPT:-}
else
export TAP_CFLAGS="-I${PWD}/tap-windows-${TAP_WINDOWS_VERSION}/include"
export LZO_CFLAGS="-I${PREFIX}/include"
export LZO_LIBS="-L${PREFIX}/lib -llzo2"
export PKCS11_HELPER_LIBS="-L${PREFIX}/lib -lpkcs11-helper"
export PKCS11_HELPER_CFLAGS="-I${PREFIX}/include"
./configure --with-crypto-library="${SSLLIB}" --host=${CHOST} --build=x86_64-pc-linux-gnu --enable-pkcs11 --disable-plugins || (cat config.log && exit 1)
make -j${JOBS}
fi
.travis/build-deps.sh 0 → 100755
View file @ e1e1377b
#!/bin/sh
set -eux
if [ "${TRAVIS_OS_NAME}" = "windows" ]; then
choco install strawberryperl nasm
choco install visualstudio2019buildtools --package-parameters "--includeRecommended --includeOptional"
choco install visualstudio2019-workload-vctools
cd ..
git clone https://github.com/openvpn/openvpn-build.git
cd openvpn-build
PATH="/c/Strawberry/perl/bin:":$PATH MODE=DEPS msvc/build.bat
exit 0
fi
# Set defaults
PREFIX="${PREFIX:-${HOME}/opt}"
download_tap_windows () {
if [ ! -f "download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip" ]; then
wget -P download-cache/ \
"https://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip"
fi
}
download_lzo () {
if [ ! -f "download-cache/lzo-${LZO_VERSION}.tar.gz" ]; then
wget -P download-cache/ \
"https://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz"
fi
}
build_lzo () {
if [ "$(cat ${PREFIX}/.lzo-version)" != "${LZO_VERSION}" ]; then
tar zxf download-cache/lzo-${LZO_VERSION}.tar.gz
(
cd "lzo-${LZO_VERSION}"
./configure --host=${CHOST} --program-prefix='' \
--libdir=${PREFIX}/lib --prefix=${PREFIX} --build=x86_64-pc-linux-gnu
make all install
)
echo "${LZO_VERSION}" > "${PREFIX}/.lzo-version"
fi
}
download_pkcs11_helper () {
if [ ! -f "pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.gz" ]; then
wget -P download-cache/ \
"https://github.com/OpenSC/pkcs11-helper/archive/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.gz"
fi
}
build_pkcs11_helper () {
if [ "$(cat ${PREFIX}/.pkcs11_helper-version)" != "${PKCS11_HELPER_VERSION}" ]; then
tar xf download-cache/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.gz
(
cd "pkcs11-helper-pkcs11-helper-${PKCS11_HELPER_VERSION}"
autoreconf -iv
./configure --host=${CHOST} --program-prefix='' --libdir=${PREFIX}/lib \
--prefix=${PREFIX} --build=x86_64-pc-linux-gnu \
--disable-crypto-engine-gnutls \
--disable-crypto-engine-nss \
--disable-crypto-engine-polarssl \
--disable-crypto-engine-mbedtls
make all install
)
echo "${PKCS11_HELPER_VERSION}" > "${PREFIX}/.pkcs11_helper-version"
fi
}
download_mbedtls () {
if [ ! -f "download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz" ]; then
wget -P download-cache/ \
"https://tls.mbed.org/download/mbedtls-${MBEDTLS_VERSION}-apache.tgz"
fi
}
build_mbedtls () {
if [ "$(cat ${PREFIX}/.mbedtls-version)" != "${MBEDTLS_VERSION}" ]; then
tar zxf download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz
(
cd "mbedtls-${MBEDTLS_VERSION}"
make
make install DESTDIR="${PREFIX}"
)
echo "${MBEDTLS_VERSION}" > "${PREFIX}/.mbedtls-version"
fi
}
download_openssl () {
if [ ! -f "download-cache/openssl-${OPENSSL_VERSION}.tar.gz" ]; then
MAJOR=`echo $OPENSSL_VERSION | sed -e 's/\([0-9.]*\).*/\1/'`
wget -P download-cache/ \
"https://www.openssl.org/source/old/${MAJOR}/openssl-${OPENSSL_VERSION}.tar.gz"
fi
}
build_openssl_linux () {
(
cd "openssl-${OPENSSL_VERSION}/"
./config shared --prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY
make all install_sw
)
}
build_openssl_osx () {
(
cd "openssl-${OPENSSL_VERSION}/"
./Configure darwin64-x86_64-cc shared \
--prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY
make depend all install_sw
)
}
build_openssl_mingw () {
(
cd "openssl-${OPENSSL_VERSION}/"
if [ "${CHOST}" = "i686-w64-mingw32" ]; then
export TARGET=mingw
elif [ "${CHOST}" = "x86_64-w64-mingw32" ]; then
export TARGET=mingw64
fi
./Configure --cross-compile-prefix=${CHOST}- shared \
${TARGET} no-capieng --prefix="${PREFIX}" --openssldir="${PREFIX}" -static-libgcc
make install
)
}
build_openssl () {
if [ "$(cat ${PREFIX}/.openssl-version)" != "${OPENSSL_VERSION}" ]; then
tar zxf "download-cache/openssl-${OPENSSL_VERSION}.tar.gz"
if [ ! -z ${CHOST+x} ]; then
build_openssl_mingw
elif [ "${TRAVIS_OS_NAME}" = "osx" ]; then
build_openssl_osx
elif [ "${TRAVIS_OS_NAME}" = "linux" ]; then
build_openssl_linux
fi
echo "${OPENSSL_VERSION}" > "${PREFIX}/.openssl-version"
fi
}
# Download and build crypto lib
if [ "${SSLLIB}" = "openssl" ]; then
download_openssl
build_openssl
elif [ "${SSLLIB}" = "mbedtls" ]; then
download_mbedtls
build_mbedtls
else
echo "Invalid crypto lib: ${SSLLIB}"
exit 1
fi
# Download and build dependencies for mingw cross build
# dependencies are the same as in regular windows installer build
if [ ! -z ${CHOST+x} ]; then
download_tap_windows
unzip download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip
download_lzo
build_lzo
download_pkcs11_helper
build_pkcs11_helper
fi
.travis/coverity.sh 0 → 100755
View file @ e1e1377b
#!/bin/sh
set -eu
RUN_COVERITY="${RUN_COVERITY:-0}"
export COVERITY_SCAN_PROJECT_NAME="OpenVPN/openvpn"
export COVERITY_SCAN_BRANCH_PATTERN="release\/2.4"
export COVERITY_SCAN_NOTIFICATION_EMAIL="scan-reports@openvpn.net"
export COVERITY_SCAN_BUILD_COMMAND_PREPEND="autoreconf -vi && ./configure --enable-iproute2 && make clean"
export COVERITY_SCAN_BUILD_COMMAND="make"
if [ "${RUN_COVERITY}" = "1" ]; then
# Ignore exit code, script exits with 1 if we're not on the right branch
curl -s "https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh" | bash || true
else
echo "Skipping coverity scan because \$RUN_COVERITY != \"1\""
fi
CONTRIBUTING.rst 0 → 100644
View file @ e1e1377b
CONTRIBUTING TO THE OPENVPN PROJECT
===================================
Patches should be written against the Git "master" branch. Some patches may get
backported to a release branch.
The preferred procedure to send patches to the "openvpn-devel" mailing list:
- https://lists.sourceforge.net/lists/listinfo/openvpn-devel
While we do not merge GitHub pull requests as-is, we do allow their use for code
review purposes. After the patch has been ACKed (reviewed and accepted), it must
be sent to the mailing list. This last step does not necessarily need to be done
by the patch author, although that is definitely recommended.
When sending patches to "openvpn-devel" the subject line should be prefixed with
[PATCH]. To avoid merging issues the patches should be generated with
git-format-patch or sent using git-send-email. Try to split large patches into
small, atomic pieces to make reviews easier.
Please make sure that the source code formatting follows the guidelines at
https://community.openvpn.net/openvpn/wiki/CodeStyle. Automated checking can be
done with uncrustify (http://uncrustify.sourceforge.net/) and the configuration
file which can be found in the git repository at dev-tools/uncrustify.conf.
There is also a git pre-commit hook script, which runs uncrustify automatically
each time you commit and lets you format your code conveniently, if needed.
To install the hook simply run: dev-tools/git-pre-commit-uncrustify.sh install
If you want quick feedback on a patch before sending it to openvpn-devel mailing
list, you can visit the #openvpn-devel channel on irc.libera.chat. Note that
you need to be logged in to Libera to join the channel:
- https://libera.chat/guides/registration
More detailed contribution instructions are available here:
- https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation
Note that the process for contributing to other OpenVPN projects such as
openvpn-build, openvpn-gui, tap-windows6 and easy-rsa may differ from what was
described above. Please refer to the contribution instructions of each
respective project.
COPYING
View file @ e1e1377b
OpenVPN (TM) -- An Open Source VPN daemon OpenVPN (TM) -- An Open Source VPN daemon
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
This distribution contains multiple components, some This distribution contains multiple components, some
of which fall under different licenses. By using OpenVPN of which fall under different licenses. By using OpenVPN
......
ChangeLog
View file @ e1e1377b
OpenVPN Change Log OpenVPN Change Log
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
2020.04.16 -- Version 2.4.9
Antonio Quartulli (1):
socks: use the right function when printing struct openvpn_sockaddr
Arne Schwabe (3):
Fetch OpenSSL versions via source/old links
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL 1.1.1 not using auto elliptic curve selection
Lev Stipakov (4):
Fix broken fragmentation logic when using NCP
Fix building with --enable-async-push in FreeBSD
Fix broken async push with NCP is used
Fix illegal client float (CVE-2020-11810)
Maxim Plotnikov (1):
OpenSSL: Fix --crl-verify not loading multiple CRLs in one file
Santtu Lakkala (1):
Fix OpenSSL private key passphrase notices
Selva Nair (7):
Swap the order of checks for validating interactive service user
Move querying username/password from management interface to a function
When auth-user-pass file has no password query the management interface (if available).
Fix possibly uninitialized return value in GetOpenvpnSettings()
Fix possible access of uninitialized pipe handles
Skip expired certificates in Windows certificate store
Allow unicode search string in --cryptoapicert option
Tom van Leeuwen (1):
mbedTLS: Make sure TLS session survives move
WGH (1):
docs: Add reference to X509_LOOKUP_hash_dir(3)
2019.10.30 -- Version 2.4.8
Antonio Quartulli (1):
mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
Arne Schwabe (1):
Remove -no-cpp-precomp flag from Darwin builds
David Sommerseth (3):
cleanup: Remove RPM openvpn.spec build approach
docs: Update INSTALL
build: Package missing mock_msg.h
Gert Doering (4):
repair windows builds (2.4)
Increase listen() backlog queue to 32
Force combinationation of --socks-proxy and --proto UDP to use IPv4.
Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
Gisle Vanem (1):
Wrong FILETYPE in .rc files
Hilko Bengen (1):
Do not set pkcs11-helper 'safe fork mode'
Ilya Shipitsin (2):
travis-ci: add "linux-ppc64le" to build matrix, change trusty image to xenial, update osx to xcode9.4 and modernize brew management
travis-ci: fix osx builds
Kyle Evans (1):
tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
Lev Stipakov (1):
Fix various compiler warnings
Matthias Andree (1):
Fix regression, reinstate LibreSSL support.
Michal Soltys (1):
man: correct the description of --capath and --crl-verify regarding CRLs
Mykola Baibuz (1):
Fix typo in NTLM proxy debug message
Richard Bonhomme (1):
Ignore --pull-filter for --mode server
Rosen Penev (1):
openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
Selva Nair (3):
Better error message when script fails due to script-security setting
Correct the return value of cryptoapi RSA signature callbacks
Handle PSS padding in cryptoapicert
Steffan Karger (1):
cmocka: use relative paths
Thomas Quinot (1):
Fix documentation of tls-verify script argument
2019.02.18 -- Version 2.4.7
Adam Ciarcin?ski (1):
Fix subnet topology on NetBSD (2.4).
Antonio Quartulli (3):
add support for %lu in argv_printf and prevent ASSERT
buffer_list: add functions documentation
ifconfig-ipv6(-push): allow using hostnames
Arne Schwabe (7):
Properly free tuntap struct on android when emulating persist-tun
Add OpenSSL compat definition for RSA_meth_set_sign
Add support for tls-ciphersuites for TLS 1.3
Add better support for showing TLS 1.3 ciphersuites in --show-tls
Use right function to set TLS1.3 restrictions in show-tls
Add message explaining early TLS client hello failure
Fallback to password authentication when auth-token fails
Christian Ehrhardt (1):
systemd: extend CapabilityBoundingSet for auth_pam
David Sommerseth (1):
plugin: Export base64 encode and decode functions
Gert Doering (3):
Add %d, %u and %lu tests to test_argv unit tests.
Fix combination of --dev tap and --topology subnet across multiple platforms.
Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
Gert van Dijk (1):
Minor reliability layer documentation fixes
James Bekkema (1):
Resolves small IV_GUI_VER typo in the documentation.
Jonathan K. Bullard (1):
Clarify and expand management interface documentation
Lev Stipakov (5):
Refactor NCP-negotiable options handling
init.c: refine functions names and description
interactive.c: fix usage of potentially uninitialized variable
options.c: fix broken unary minus usage
Remove extra token after #endif
Richard van den Berg via Openvpn-devel (1):
Fix error message when using RHEL init script
Samy Mahmoudi (1):
man: correct a --redirection-gateway option flag
Selva Nair (7):
Replace M_DEBUG with D_LOW as the former is too verbose
Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
Bump version of openvpn plugin argument structs to 5
Move get system directory to a separate function
Enable dhcp on tap adapter using interactive service
Pass the hash without the DigestInfo header to NCryptSignHash()
White-list pull-filter and script-security in interactive service
Simon Rozman (2):
Add Interactive Service developer documentation
Detect TAP interfaces with root-enumerated hardware ID
Steffan Karger (7):
man: add security considerations to --compress section
mbedtls: print warning if random personalisation fails
Fix memory leak after sighup
travis: add OpenSSL 1.1 Windows build
Fix --disable-crypto build
Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
buffer_list_aggregate_separator(): simplify code
2018.04.19 -- Version 2.4.6
David Sommerseth (1):
management: Warn if TCP port is used without password
Gert Doering (2):
Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
Fix potential double-free() in Interactive Service (CVE-2018-9336)
Gert van Dijk (1):
manpage: improve description of --status and --status-version
Joost Rijneveld (1):
Make return code external tls key match docs
Selva Nair (3):
Delete the IPv6 route to the "connected" network on tun close
Management: warn about password only when the option is in use
Avoid overflow in wakeup time computation
Simon Matter (1):
Add missing #ifdef SSL_OP_NO_TLSv1_1/2
Steffan Karger (1):
Check for more data in control channel
2018.02.28 -- Version 2.4.5
Antonio Quartulli (4):
reload HTTP proxy credentials when moving to the next connection profile
Allow learning iroutes with network made up of all 0s (only if netbits < 8)
mbedtls: fix typ0 in comment
manpage: fix simple typ0
Arne Schwabe (2):
Treat dhcp-option DNS6 and DNS identical
show the right string for key-direction
Bertrand Bonnefoy-Claudet (1):
Fix typo in error message: "optione" -> "option"
David Sommerseth (8):
lz4: Fix confused version check
lz4: Fix broken builds when pkg-config is not present but system library is
Remove references to keychain-mcd in Changes.rst
lz4: Rebase compat-lz4 against upstream v1.7.5
systemd: Add and ship README.systemd
Update copyright to include 2018 plus company name change
man: Add .TQ groff support macro
man: Reword --management to prefer unix sockets over TCP
Emmanuel Deloget (1):
OpenSSL: check EVP_PKEY key types before returning the pkey
Gert Doering (2):
Remove warning on pushed tun-ipv6 option.
Fix removal of on-link prefix on windows with netsh
Ilya Shipitsin (2):
travis-ci: add brew cache, remove ccache
travis-ci: modify openssl build script to support openssl-1.1.0
James Bottomley (1):
autoconf: Fix engine checks for openssl 1.1
Jeremie Courreges-Anglas (2):
Cast time_t to long long in order to print it.
Fix build with LibreSSL
Selva Nair (14):
Check whether in pull_mode before warning about previous connection blocks
Avoid illegal memory access when malformed data is read from the pipe
Fix missing check for return value of malloc'd buffer
Return NULL if GetAdaptersInfo fails
Use RSA_meth_free instead of free
Bring cryptoapi.c upto speed with openssl 1.1
Add SSL_CTX_get_max_proto_version() not in openssl 1.0
TLS v1.2 support for cryptoapicert -- RSA only
Refactor get_interface_metric to return metric and auto flag separately
Ensure strings read from registry are null-terminated
Make most registry values optional
Use lowest metric interface when multiple interfaces match a route
Adapt to RegGetValue brokenness in Windows 7
Fix format spec errors in Windows builds
Simon Rozman (11):
Local functions are not supported in MSVC. Bummer.
Mixing wide and regular strings in concatenations is not allowed in MSVC.
RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
Simplify iphlpapi.dll API calls
Fix local #include to use quoted form
Document ">PASSWORD:Auth-Token" real-time message
Fix typo in "verb" command examples
Uniform swprintf() across MinGW and MSVC compilers
MSVC meta files added to .gitignore list
openvpnserv: Add support for multi-instances
Document missing OpenVPN states
Steffan Karger (21):
make struct key * argument of init_key_ctx const
buffer_list_aggregate_separator(): add unit tests
Add --tls-cert-profile option.
Use P_DATA_V2 for server->client packets too
Fix memory leak in buffer unit tests
buffer_list_aggregate_separator(): update list size after aggregating
buffer_list_aggregate_separator(): don't exceed max_len
buffer_list_aggregate_separator(): prevent 0-byte malloc
Fix types around buffer_list_push(_data)
ssl_openssl: fix compiler warning by removing getbio() wrapper
travis: use clang's -fsanitize=address to catch more bugs
Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Add support for TLS 1.3 in --tls-version-{min, max}
Plug memory leak if push is interrupted
Fix format errors when cross-compiling for Windows
Log pre-handshake packet drops using D_MULTI_DROPPED
Enable stricter compiler warnings by default
Get rid of ax_check_compile_flag.m4
mbedtls: don't use API deprecated in mbed 2.7
Warn if tls-version-max < tls-version-min
Don't throw fatal errors from create_temp_file()
hashiz (1):
Fix '--bind ipv6only'
2017.09.25 -- Version 2.4.4
Antonio Quartulli (23):
crypto: correct typ0 in error message
use M_ERRNO instead of explicitly printing errno
don't print errno twice
ntlm: avoid useless cast
ntlm: unwrap multiple function calls
route: improve error message
management: preserve wait_for_push field when asking for user/pass
tls-crypt: avoid warnings when --disable-crypto is used
ntlm: convert binary buffers to uint8_t *
ntlm: restyle compressed multiple function calls
ntlm: improve code style and readability
OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
make function declarations C99 compliant
remove unused functions
use NULL instead of 0 when assigning pointers
add missing static attribute to functions
ntlm: avoid breaking anti-aliasing rules
remove the --disable-multi config switch
rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
route: avoid definition of unused variables in certain configurations
fix a couple of typ0s in comments and strings
fragment.c: simplify boolean expression
tcp-server: ensure AF family is propagated to child context
Arne Schwabe (2):
Set tls-cipher restriction before loading certificates
Print ec bit details, refuse management-external-key if key is not RSA
Conrad Hoffmann (2):
Use provided env vars in up/down script.
Document down-root plugin usage in client.down
David Sommerseth (11):
doc: The CRL processing is not a deprecated feature
cleanup: Move write_pid() to where it is being used
contrib: Remove keychain-mcd code
cleanup: Move init_random_seed() to where it is being used
sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
Highlight deprecated features
Use consistent version references
docs: Replace all PolarSSL references to mbed TLS
systemd: Ensure systemd shuts down OpenVPN in a proper way
systemd: Enable systemd's auto-restart feature for server profiles
lz4: Move towards a newer LZ4 API
Emmanuel Deloget (3):
OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
Gert van Dijk (1):
Warn that DH config option is only meaningful in a tls-server context
Ilya Shipitsin (3):
travis-ci: add 3 missing patches from master to release/2.4
travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
travis-ci: update pkcs11-helper to 1.22
Richard Bonhomme (1):
man: Corrections to doc/openvpn.8
Steffan Karger (17):
Fix typo in extract_x509_extension() debug message
Move adjust_power_of_2() to integer.h
Undo cipher push in client options state if cipher is rejected
Remove strerror_ts()
Move openvpn_sleep() to manage.c
fixup: also change missed openvpn_sleep() occurrences
Always use default keysize for NCP'd ciphers
Move create_temp_file() out of #ifdef ENABLE_CRYPTO
Deprecate --keysize
Deprecate --no-replay
Move run_up_down() to init.c
tls-crypt: introduce tls_crypt_kt()
crypto: create function to initialize encrypt and decrypt key
Add coverity static analysis to Travis CI config
tls-crypt: don't leak memory for incorrect tls-crypt messages
travis: reorder matrix to speed up build
Fix bounds check in read_key()
Szilárd Pfeiffer (1):
OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
Thomas Veerman via Openvpn-devel (1):
Fix socks_proxy_port pointing to invalid data
2017.06.21 -- Version 2.4.3
Antonio Quartulli (1):
Ignore auth-nocache for auth-user-pass if auth-token is pushed
David Sommerseth (3):
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
Emmanuel Deloget (8):
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Gert Doering (6):
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Update Changes.rst with relevant info for 2.4.3 release.
Guido Vranken (6):
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Jérémie Courrèges-Anglas (2):
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Matthias Andree (1):
Make openvpn-plugin.h self-contained again.
Selva Nair (1):
Pass correct buffer size to GetModuleFileNameW()
Steffan Karger (11):
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Steven McDonald (1):
Fix gateway detection with OpenBSD routing domains
2017.05.11 -- Version 2.4.2
David Sommerseth (5):
auth-token: Ensure tokens are always wiped on de-auth
docs: Fixed man-page warnings discoverd by rpmlint
Make --cipher/--auth none more explicit on the risks
plugin: Fix documentation typo for type_mask
plugin: Export secure_memzero() to plug-ins
Hristo Venev (1):
Fix extract_x509_field_ssl for external objects, v2
Selva Nair (1):
In auth-pam plugin clear the password after use
Steffan Karger (10):
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Don't run packet_id unit tests for --disable-crypto builds
Fix Changes.rst layout
Fix memory leak in x509_verify_cert_ku()
mbedtls: correctly check return value in pkcs11_certificate_dn()
Restore pre-NCP frame parameters for new sessions
Always clear username/password from memory on error
Document tls-crypt security considerations in man page
Don't assert out on receiving too-large control packets (CVE-2017-7478)
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
ValdikSS (1):
Set a low interface metric for tap adapter when block-outside-dns is in use
2017.03.21 -- Version 2.4.1
Antonio Quartulli (4):
attempt to add IPv6 route even when no IPv6 address was configured
fix redirect-gateway behaviour when an IPv4 default route does not exist
CRL: use time_t instead of struct timespec to store last mtime
ignore remote-random-hostname if a numeric host is provided
Christian Hesse (7):
man: fix formatting for alternative option
systemd: Use automake tools to install unit files
systemd: Do not race on RuntimeDirectory
systemd: Add more security feature for systemd units
Clean up plugin path handling
plugin: Remove GNUism in openvpn-plugin.h generation
fix typo in notification message
David Sommerseth (6):
management: >REMOTE operation would overwrite ce change indicator
management: Remove a redundant #ifdef block
git: Merge .gitignore files into a single file
systemd: Move the READY=1 signalling to an earlier point
plugin: Improve the handling of default plug-in directory
cleanup: Remove faulty env processing functions
Emmanuel Deloget (8):
OpenSSL: check for the SSL reason, not the full error
OpenSSL: don't use direct access to the internal of X509_STORE_CTX
OpenSSL: don't use direct access to the internal of SSL_CTX
OpenSSL: don't use direct access to the internal of X509_STORE
OpenSSL: don't use direct access to the internal of X509_OBJECT
OpenSSL: don't use direct access to the internal of RSA_METHOD
OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
Eric Thorpe (1):
Fix Building Using MSVC
Gert Doering (4):
Add openssl_compat.h to openvpn_SOURCES
Fix '--dev null'
Fix installation of IPv6 host route to VPN server when using iservice.
Make ENABLE_OCC no longer depend on !ENABLE_SMALL
Gisle Vanem (1):
Crash in options.c
Ilya Shipitsin (2):
Resolve several travis-ci issues
travis-ci: remove unused files
Olivier Wahrenberger (1):
Fix building with LibreSSL 2.5.1 by cleaning a hack.
Selva Nair (4):
Fix push options digest update
Always release dhcp address in close_tun() on Windows.
Add a check for -Wl, --wrap support in linker
Fix user's group membership check in interactive service to work with domains
Simon Matter (1):
Fix segfault when using crypto lib without AES-256-CTR or SHA256
Steffan Karger (8):
More broadly enforce Allman style and braces-around-conditionals
Use SHA256 for the internal digest, instead of MD5
OpenSSL: 1.1 fallout - fix configure on old autoconf
Fix types in WIN32 socket_listen_accept()
Remove duplicate X509 env variables
Fix non-C99-compliant builds: don't use const size_t as array length
Deprecate --ns-cert-type
Be less picky about keyUsage extensions
2016.12.26 -- Version 2.4.0
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further enhance the documentation related to SWEET32
man: Remove references to no longer present IV_RGI6 peer-info
build: Ensure Changes.rst is shipped and installed as a doc file
Gert Doering (1):
Remove IV_RGI6=1 peer-info signalling.
Steffan Karger (3):
Document that RSA_SIGN can also request TLS 1.2 signatures
man: encourage user to read on about --tls-crypt
Textual fixes for Changes.rst
2016.12.16 -- Version 2.4_rc2 2016.12.16 -- Version 2.4_rc2
David Sommerseth (9): David Sommerseth (9):
......
Changes.rst
View file @ e1e1377b
Overview of changes in 2.6
==========================
New features
------------
Keying Material Exporters (RFC 5705) based key generation
As part of the cipher negotiation OpenVPN will automatically prefer
the RFC5705 based key material generation to the current custom
OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
Compatibility with OpenSSL in FIPS mode
OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
has been made to check or implement all the
requirements/recommendation of FIPS 140-2. This just allows OpenVPN
to be run on a system that be configured OpenSSL in FIPS mode.
``mlock`` will now check if enough memlock-able memory has been reserved,
and if less than 100MB RAM are available, use setrlimit() to upgrade
the limit. See Trac #1390. Not available on OpenSolaris.
Certificate pinning/verify peer fingerprint
The ``--peer-fingerprint`` option has been introduced to give users an
easy to use alternative to the ``tls-verify`` for matching the
fingerprint of the peer. The option takes use a number of allowed
SHA256 certificate fingerprints.
See the man page section "Small OpenVPN setup with peer-fingerprint"
for a tutorial on how to use this feature. This is also available online
under https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst
TLS mode with self-signed certificates
When ``--peer-fingerprint`` is used, the ``--ca`` and ``--capath`` option
become optional. This allows for small OpenVPN setups without setting up
a PKI with Easy-RSA or similar software.
Deferred auth support for scripts
The ``--auth-user-pass-verify`` script supports now deferred authentication.
Pending auth support for plugins and scripts
Both auth plugin and script can now signal pending authentication to
the client when using deferred authentication. The new ``client-crresponse``
script option and ``OPENVPN_PLUGIN_CLIENT_CRRESPONSE`` plugin function can
be used to parse a client response to a ``CR_TEXT`` two factor challenge.
See ``sample/sample-scripts/totpauth.py`` for an example.
Compatibility mode (``--compat-mode``)
The modernisation of defaults can impact the compatibility of OpenVPN 2.6.0
with older peers. The options ``--compat-mode`` allows UIs to provide users
with an easy way to still connect to older servers.
OpenSSL 3.0 support
OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user visible but
improve general compatibility with OpenSSL 3.0. ``--tls-cert-profile insecure``
has been added to allow selecting the lowest OpenSSL security level (not
recommended, use only if you must). OpenSSL 3.0 no longer supports the Blowfish
(and other deprecated) algorithm by default and the new option ``--providers``
allows loading the legacy provider to renable these algorithms.
Optional ciphers in ``--data-ciphers``
Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark
those as optional and only use them if the SSL library supports them.
Improved ``--mssfix`` and ``--fragment`` calculation
The ``--mssfix`` and ``--fragment`` options now allow an optional :code:`mtu`
parameter to specify that different overhead for IPv4/IPv6 should taken into
account and the resulting size is specified as the total size of the VPN packets
including IP and UDP headers.
Cookie based handshake for UDP server
Instead of allocating a connection for each client on the initial packet
OpenVPN server will now use an HMAC based cookie as its session id. This
way the server can verify it on completing the handshake without keeping
state. This eliminates the amplification and resource exhaustion attacks.
For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later
because the client needs to resend its client key on completing the hand
shake. The tls-crypt-v2 option allows controlling if older clients are
accepted.
Data channel offloading with ovpn-dco
2.6.0+ implements support for data-channel offloading where the data packets
are directly processed and forwarded in kernel space thanks to the ovpn-dco
kernel module. The userspace openvpn program acts purely as a control plane
application. Note that DCO will use DATA_V2 packets in P2P mode, therefore,
this implies that peers must be running 2.6.0+ in order to have P2P-NCP
which brings DATA_V2 packet support.
Deprecated features
-------------------
``inetd`` has been removed
This was a very limited and not-well-tested way to run OpenVPN, on TCP
and TAP mode only.
``verify-hash`` has been deprecated
This option has very limited usefulness and should be replaced by either
a better ``--ca`` configuration or with a ``--tls-verify`` script.
``secret`` has been deprecated
static key mode (non-TLS) is no longer considered "good and secure enough"
for today's requirements. Use TLS mode instead. If deploying a PKI CA
is considered "too complicated", using ``--peer-fingerprint`` makes
TLS mode about as easy as using ``--secret``.
``ncp-disable`` has been removed
This option mainly served a role as debug option when NCP was first
introduced. It should now no longer be necessary.
TLS 1.0 and 1.1 are deprecated
``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults
to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally
avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only.
``--cipher`` argument is no longer appended to ``--data-ciphers``
by default. Data cipher negotiation has been introduced in 2.4.0
and been significantly improved in 2.5.0. The implicit fallback
to the cipher specified in ``--cipher`` has been removed.
Effectively, ``--cipher`` is a no-op in TLS mode now, and will
only have an effect in pre-shared-key mode (``--secret``).
From now on ``--cipher`` should not be used in new configurations
for TLS mode.
Should backwards compatibility with older OpenVPN peers be
required, please see the ``--compat-mode`` instead.
``--prng`` has beeen removed
OpenVPN used to implement its own PRNG based on a hash. However implementing
a PRNG is better left to a crypto library. So we use the PRNG
mbed TLS or OpenSSL now.
Compression no longer enabled by default
Unless an explicit compression option is specified in the configuration,
``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0.
By default, OpenVPN 2.5 still allowed a server to enable compression by
pushing compression related options.
PF (Packet Filtering) support has been removed
The built-in PF functionality has been removed from the code base. This
feature wasn't really easy to use and was long unmaintained.
This implies that also ``--management-client-pf`` and any other compile
time or run time related option do not exist any longer.
User-visible Changes
--------------------
- CHACHA20-POLY1305 is included in the default of ``--data-ciphers`` when available.
- Option ``--prng`` is ignored as we rely on the SSL library random number generator.
- Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration
- :code:`link_mtu` parameter is removed from environment or replaced with 0 when scripts are
called with parameters. This parameter is unreliable and no longer internally calculated.
Overview of changes in 2.5
==========================
New features
------------
Client-specific tls-crypt keys (``--tls-crypt-v2``)
``tls-crypt-v2`` adds the ability to supply each client with a unique
tls-crypt key. This allows large organisations and VPN providers to profit
from the same DoS and TLS stack protection that small deployments can
already achieve using ``tls-auth`` or ``tls-crypt``.
ChaCha20-Poly1305 cipher support
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data
channel.
Improved Data channel cipher negotiation
The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
The old name is still accepted. The change in name signals that
``data-ciphers`` is the preferred way to configure data channel
ciphers and the data prefix is chosen to avoid the ambiguity that
exists with ``--cipher`` for the data cipher and ``tls-cipher``
for the TLS ciphers.
OpenVPN clients will now signal all supported ciphers from the
``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
servers will select the first common cipher from the ``data-ciphers``
list instead of blindly pushing the first cipher of the list. This
allows to use a configuration like
``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
prefers ChaCha20-Poly1305 but uses it only if the client supports it.
See the data channel negotiation section in the manual for more details.
Removal of BF-CBC support in default configuration:
By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as
data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when
no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be
enabled by adding
data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC
and when you need to support very old peers also
data-ciphers-fallback BF-CBC
To offer backwards compatibility with older configs an *explicit*
cipher BF-CBC
in the configuration will be automatically translated into adding BF-CBC
to the data-ciphers option and setting data-ciphers-fallback to BF-CBC
(as in the example commands above). We strongly recommend to switching
away from BF-CBC to a more secure cipher.
Asynchronous (deferred) authentication support for auth-pam plugin.
See src/plugins/auth-pam/README.auth-pam for details.
Deferred client-connect
The ``--client-connect`` option and the connect plugin API allow
asynchronous/deferred return of the configuration file in the same way
as the auth-plugin.
Faster connection setup
A client will signal in the ``IV_PROTO`` variable that it is in pull
mode. This allows the server to push the configuration options to
the client without waiting for a ``PULL_REQUEST`` message. The feature
is automatically enabled if both client and server support it and
significantly reduces the connection setup time by avoiding one
extra packet round-trip and 1s of internal event delays.
Netlink support
On Linux, if configured without ``--enable-iproute2``, configuring IP
addresses and adding/removing routes is now done via the netlink(3)
kernel interface. This is much faster than calling ``ifconfig`` or
``route`` and also enables OpenVPN to run with less privileges.
If configured with --enable-iproute2, the ``ip`` command is used
(as in 2.4). Support for ``ifconfig`` and ``route`` is gone.
Wintun support
On Windows, OpenVPN can now use ``wintun`` devices. They are faster
than the traditional ``tap9`` tun/tap devices, but do not provide
``--dev tap`` mode - so the official installers contain both. To use
a wintun device, add ``--windows-driver wintun`` to your config
(and use of the interactive service is required as wintun needs
SYSTEM privileges to enable access).
IPv6-only operation
It is now possible to have only IPv6 addresses inside the VPN tunnel,
and IPv6-only address pools (2.4 always required IPv4 config/pools
and IPv6 was the "optional extra").
Improved Windows 10 detection
Correctly log OS on Windows 10 now.
Linux VRF support
Using the new ``--bind-dev`` option, the OpenVPN outside socket can
now be put into a Linux VRF. See the "Virtual Routing and Forwarding"
documentation in the man page.
TLS 1.3 support
TLS 1.3 support has been added to OpenVPN. Currently, this requires
OpenSSL 1.1.1+.
The options ``--tls-ciphersuites`` and ``--tls-groups`` have been
added to fine tune TLS protocol options. Most of the improvements
were also backported to OpenVPN 2.4 as part of the maintainance
releases.
Support setting DHCP search domain
A new option ``--dhcp-option DOMAIN-SEARCH my.example.com`` has been
defined, and Windows support for it is implemented (tun/tap only, no
wintun support yet). Other platforms need to support this via ``--up``
script (Linux) or GUI (OSX/Tunnelblick).
per-client changing of ``--data-ciphers`` or ``data-ciphers-fallback``
from client-connect script/dir (NOTE: this only changes preference of
ciphers for NCP, but can not override what the client announces as
"willing to accept")
Handle setting of tun/tap interface MTU on Windows
If IPv6 is in use, MTU must be >= 1280 (Windows enforces IETF requirements)
Add support for OpenSSL engines to access private key material (like TPM).
HMAC based auth-token support
The ``--auth-gen-token`` support has been improved and now generates HMAC
based user token. If the optional ``--auth-gen-token-secret`` option is
used clients will be able to seamlessly reconnect to a different server
using the same secret file or to the same server after a server restart.
Improved support for pending authentication
The protocol has been enhanced to be able to signal that
the authentication should use a secondary authentication
via web (like SAML) or a two factor authentication without
disconnecting the OpenVPN session with AUTH_FAILED. The
session will instead be stay in a authenticated state and
wait for the second factor authentication to complete.
This feature currently requires usage of the managent interface
on both client and server side. See the `management-notes.txt`
``client-pending-auth`` and ``cr-response`` commands for more
details.
VLAN support
OpenVPN servers in TAP mode can now use 802.1q tagged VLANs
on the TAP interface to separate clients into different groups
that can then be handled differently (different subnets / DHCP,
firewall zones, ...) further down the network. See the new
options ``--vlan-tagging``, ``--vlan-accept``, ``--vlan-pvid``.
802.1q tagging on the client side TAP interface is not handled
today (= tags are just forwarded transparently to the server).
Support building of .msi installers for Windows
Allow unicode search string in ``--cryptoapicert`` option (Windows)
Support IPv4 configs with /31 netmasks now
(By no longer trying to configure ``broadcast x.x.x.x'' in
ifconfig calls, /31 support "just works")
New option ``--block-ipv6`` to reject all IPv6 packets (ICMPv6)
this is useful if the VPN service has no IPv6, but the clients
might have (LAN), to avoid client connections to IPv6-enabled
servers leaking "around" the IPv4-only VPN.
``--ifconfig-ipv6`` and ``--ifconfig-ipv6-push`` will now accept
hostnames and do a DNS lookup to get the IPv6 address to use
Deprecated features
-------------------
For an up-to-date list of all deprecated options, see this wiki page:
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
- ``ncp-disable`` has been deprecated
With the improved and matured data channel cipher negotiation, the use
of ``ncp-disable`` should not be necessary anymore.
- ``inetd`` has been deprecated
This is a very limited and not-well-tested way to run OpenVPN, on TCP
and TAP mode only, which complicates the code quite a bit for little gain.
To be removed in OpenVPN 2.6 (unless users protest).
- ``no-iv`` has been removed
This option was made into a NOOP option with OpenVPN 2.4. This has now
been completely removed.
- ``--client-cert-not-required`` has been removed
This option will now cause server configurations to not start. Use
``--verify-client-cert none`` instead.
- ``--ifconfig-pool-linear`` has been removed
This option is removed. Use ``--topology p2p`` or ``--topology subnet``
instead.
- ``--compress xxx`` is considered risky and is warned against, see below.
- ``--key-method 1`` has been removed
User-visible Changes
--------------------
- If multiple connect handlers are used (client-connect, ccd, connect
plugin) and one of the handler succeeds but a subsequent fails, the
client-disconnect-script is now called immediately. Previously it
was called, when the VPN session was terminated.
- Support for building with OpenSSL 1.0.1 has been removed. The minimum
supported OpenSSL version is now 1.0.2.
- The GET_CONFIG management state is omitted if the server pushes
the client configuration almost immediately as result of the
faster connection setup feature.
- ``--compress`` is nowadays considered risky, because attacks exist
leveraging compression-inside-crypto to reveal plaintext (VORACLE). So
by default, ``--compress xxx`` will now accept incoming compressed
packets (for compatibility with peers that have not been upgraded yet),
but will not use compression outgoing packets. This can be controlled with
the new option ``--allow-compression yes|no|asym``.
- Stop changing ``--txlen`` aways from OS defaults unless explicitly specified
in config file. OS defaults nowadays are actually larger then what we used
to configure, so our defaults sometimes caused packet drops = bad performance.
- remove ``--writepid`` pid file on exit now
- plugin-auth-pam now logs via OpenVPN logging method, no longer to stderr
(this means you'll have log messages in syslog or openvpn log file now)
- use ISO 8601 time format for file based logging now (YYYY-MM-DD hh:mm:dd)
(syslog is not affected, nor is ``--machine-readable-output``)
- ``--clr-verify`` now loads all CRLs if more than one CRL is in the same
file (OpenSSL backend only, mbedTLS always did that)
- when ``--auth-user-pass file`` has no password, and the management interface
is active, query management interface (instead of trying console query,
which does not work on windows)
- skip expired certificates in Windows certificate store (``--cryptoapicert``)
- ``--socks-proxy`` + ``--proto udp*`` will now allways use IPv4, even if
IPv6 is requested and available. Our SOCKS code does not handle IPv6+UDP,
and before that change it would just fail in non-obvious ways.
- TCP listen() backlog queue is now set to 32 - this helps TCP servers that
receive lots of "invalid" connects by TCP port scanners
- do no longer print OCC warnings ("option mismatch") about ``key-method``,
``keydir``, ``tls-auth`` and ``cipher`` - these are either gone now, or
negotiated, and the warnings do not serve a useful purpose.
- ``dhcp-option DNS`` and ``dhcp-option DNS6`` are now treated identically
(= both accept an IPv4 or IPv6 address for the nameserver)
Maintainer-visible changes
--------------------------
- the man page is now in maintained in .rst format, so building the openvpn.8
manpage from a git checkout now requires python-docutils (if this is missing,
the manpage will not be built - which is not considered an error generally,
but for package builders or ``make distcheck`` it is). Release tarballs
contain the openvpn.8 file, so unless some .rst is changed, doc-utils are
not needed for building.
- OCC support can no longer be disabled
- AEAD support is now required in the crypto library
- ``--disable-server`` has been removed from configure (so it is no longer
possible to build a client-/p2p-only OpenVPN binary) - the saving in code
size no longer outweighs the extra maintenance effort.
- ``--enable-iproute2`` will disable netlink(3) support, so maybe remove
that from package building configs (see above)
- support building with MSVC 2019
- cmocka based unit tests are now only run if cmocka is installed externally
(2.4 used to ship a local git submodule which was painful to maintain)
- ``--disable-crypto`` configure option has been removed. OpenVPN is now always
built with crypto support, which makes the code much easier to maintain.
This does not affect ``--cipher none`` to do a tunnel without encryption.
- ``--disable-multi`` configure option has been removed
Overview of changes in 2.4 Overview of changes in 2.4
========================== ==========================
...@@ -10,7 +454,7 @@ Seamless client IP/port floating ...@@ -10,7 +454,7 @@ Seamless client IP/port floating
the new format. When a data packet arrives, the server identifies peer the new format. When a data packet arrives, the server identifies peer
by peer-id. If peer's ip/port has changed, server assumes that by peer-id. If peer's ip/port has changed, server assumes that
client has floated, verifies HMAC and updates ip/port in internal structs. client has floated, verifies HMAC and updates ip/port in internal structs.
This allows the connection to be immediatly restored, instead of requiring This allows the connection to be immediately restored, instead of requiring
a TLS handshake before the server accepts packets from the new client a TLS handshake before the server accepts packets from the new client
ip/port. ip/port.
...@@ -207,7 +651,7 @@ User-visible Changes ...@@ -207,7 +651,7 @@ User-visible Changes
of a field get _$N appended to it's field name, starting at N=1. For the of a field get _$N appended to it's field name, starting at N=1. For the
example above, that would result in e.g. X509_0_OU=one, X509_0_OU_1=two. example above, that would result in e.g. X509_0_OU=one, X509_0_OU_1=two.
Note that this breaks setups that rely on the fact that OpenVPN would Note that this breaks setups that rely on the fact that OpenVPN would
previously (incorrectly) only export the last occurence of a field. previously (incorrectly) only export the last occurrence of a field.
- ``proto udp`` and ``proto tcp`` now use both IPv4 and IPv6. The new - ``proto udp`` and ``proto tcp`` now use both IPv4 and IPv6. The new
options ``proto udp4`` and ``proto tcp4`` use IPv4 only. options ``proto udp4`` and ``proto tcp4`` use IPv4 only.
...@@ -321,190 +765,8 @@ Maintainer-visible changes ...@@ -321,190 +765,8 @@ Maintainer-visible changes
i386/i686 builds on RHEL5. i386/i686 builds on RHEL5.
Version 2.4.9
=============
This is primarily a maintenance release with minor bugfixes and improvements.
New features
------------
- Allow unicode search string in --cryptoapicert option (Windows)
User visible changes
--------------------
- Skip expired certificates in Windows certificate store (Windows) (trac #966)
- OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
- When using "--auth-user-pass file" with just a username and no password
in the file, OpenVPN now queries the management interface (if active)
for the credentials. Previously it would query the console for the
password, and fail if no console available (normal case on Windows)
(trac #757)
- Swap the order of checks for validating interactive service user
(Windows: check config location before querying domain controller for
group membership, which can be slow)
Bug fixes
---------
- fix condition where a client's session could "float" to a new IP address
that is not authorized ("fix illegal client float").
This can be used to disrupt service to a freshly connected client (no
session keys negotiated yet). It can not be used to inject or steal
VPN traffic. CVE-2020-11810, trac #1272).
- fix combination of async push (deferred auth) and NCP (trac #1259)
- Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
- Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
- mbedTLS: Make sure TLS session survives move (trac #880)
- Fix OpenSSL private key passphrase notices
- Fix building with --enable-async-push in FreeBSD (trac #1256)
- Fix broken fragmentation logic when using NCP (trac #1140)
Version 2.4.8
=============
This is primarily a maintenance release with minor bugfixes and improvements.
New features
------------
- Support compiling with OpenSSL 1.1 without deprecated APIs
- handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
User visible changes
--------------------
- do not abort when hitting the combination of "--pull-filter" and
"--mode server" (this got hit when starting OpenVPN servers using
the windows GUI which installs a pull-filter to force ip-win32)
- increase listen() backlog queue to 32 (improve response behaviour
on openvpn servers using TCP that get portscanned)
- fix and enhance documentation (INSTALL, man page, ...)
Bug fixes
---------
- the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as
a workaround, force IPv4 in this case until a full implementation for
IPv6-UDP-SOCKS can be made.
- fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
- fix building with LibreSSL
- do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in
systemd environments)
- repair windows builds
- repair Darwin builds (remove -no-cpp-precomp flag)
Version 2.4.7
=============
This is primarily a maintenance release with minor bugfixes and improvements.
New features
------------
- ifconfig-ipv6(-push): allow using hostnames (in place of IPv6 addresses)
- new option: --ciphersuites to select TLS 1.3 cipher suites
(--cipher selects TLS 1.2 and earlier ciphers)
- enable dhcp on tap adapter using interactive service
(previously this required a privileged netsh.exe call from OpenVPN)
- clarify and expand management interface documentation
- add Interactive Service developer documentation
User visible changes
--------------------
- add message explaining early TLS client hello failure (if TLS 1.0
only clients try to connect to TLS 1.3 capable servers)
- --show-tls will now display TLS 1.3 and TLS 1.2 ciphers in separate
lists (if built with OpenSSL 1.1.1+)
- don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
(unnecessary warnings, and will cause spurious warnings with tls-crypt-v2)
- bump version of openvpn plugin argument structs to 5
- plugin: Export base64 encode and decode functions
- man: add security considerations to --compress section
Bug fixes
---------
- print port numbers (again) for incoming IPv4 connections received on
a dual-stacked IPv6 socket. This got lost at some point during
rewrite of the dual-stack code and proper printing of IPv4 addresses.
- fallback to password authentication when auth-token fails
- fix combination of --dev tap and --topology subnet across multiple
platforms (BSDs, MacOS, and Solaris).
- fix Windows CryptoAPI usage for TLS 1.2 signatures
- fix option handling in combination with NCP negotiation and OCC
(--opt-verify failure on reconnect if NCP modified options and server
verified "original" vs. "modified" options)
- mbedtls: print warning if random personalisation fails
- fix subnet topology on NetBSD (2.4).
Version 2.4.6
=============
This is primarily a maintenance release with minor bugfixes and improvements,
and one security relevant fix for the Windows Interactive Service.
User visible changes
--------------------
- warn if the management interface is configured with a TCP port and
no password is set (because it might be possible to interfere with
OpenVPN operation by tricking other programs into connecting to the
management interface and inject unwanted commands)
Bug fixes
---------
- CVE-2018-9336: fix potential double-free() in the Interactive Service
(Windows) on malformed input.
- avoid possible integer overflow in wakeup computation (trac #922)
- improve handling of incoming packet bursts for control channel data
- fix compilation with older OpenSSL versions that were broken in 2.4.5
- Windows + interactive Service: delete the IPv6 route to the "connected"
network on tun close
Version 2.4.5 Version 2.4.5
============= =============
This is primarily a maintenance release, with further improved OpenSSL 1.1
integration, several minor bug fixes and other minor improvements.
New features New features
------------ ------------
...@@ -514,99 +776,6 @@ New features ...@@ -514,99 +776,6 @@ New features
elliptic curve certificates. The default will be changed to the 'preferred' elliptic curve certificates. The default will be changed to the 'preferred'
profile in the future, which requires SHA2+, RSA-2048+ and any curve. profile in the future, which requires SHA2+, RSA-2048+ and any curve.
- make CryptoAPI support (Windows) compatible with OpenSSL 1.1 builds
- TLS v1.2 support for cryptoapicert (on Windows) -- RSA only
- openvpnserv: Add support for multi-instances (to support multiple
parallel OpenVPN installations, like EduVPN and regular OpenVPN)
- Use P_DATA_V2 for server->client packets too (better packet alignment)
- improve management interface documentation
- rework registry key handling for OpenVPN service, notably making most
registry values optional, falling back to reasonable defaults
- accept IPv6 address for pushed "dhcp-option DNS ..."
(make OpenVPN 2 option compatible with OpenVPN 3 iOS and Android clients)
Bug fixes
---------
- Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
- Fix lots of compiler warnings (format string, type casts, ...)
- Fix --redirect-gateway route installation on Windows systems that have
multiple interfaces into the same network (e.g. Wifi and wired LAN).
- Fix IPv6 interface route cleanup on Windows
- reload HTTP proxy credentials when moving to the next connection profile
- Fix build with LibreSSL (multiple times)
- Remove non-useful warning on pushed tun-ipv6 option.
- fix building with MSVC due to incompatible C constructs
- autoconf: Fix engine checks for openssl 1.1
- lz4: Rebase compat-lz4 against upstream v1.7.5
- lz4: Fix broken builds when pkg-config is not present but system library is
- Fix '--bind ipv6only'
- Allow learning iroutes with network made up of all 0s
Version 2.4.4
=============
This is primarily a maintenance release, with further improved OpenSSL 1.1
integration, several minor bug fixes and other minor improvements.
Bug fixes
---------
- Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is
rejected by the remote side
- Ignore ``--keysize`` when NCP have resulted in a changed cipher.
- Configurations using ``--auth-nocache`` and the management interface to provide
user credentials (like NetworkManager on Linux) on client side with servers
implementing authentication tokens (for example, using ``--auth-gen-token``)
will now behave correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
- Fix bug causing invalid or corrupt SOCKS port number when changing the
proxy via the management interface.
- The man page should now have proper escaping of hyphens/minus characters
and have seen some minor corrections.
User-visible Changes
--------------------
- Linux servers with systemd which uses the ``openvpn-server@.service`` unit
file for server configurations will now utilize the automatic restart feature
in systemd. If the OpenVPN server process dies unexpectedly, systemd will
ensure the OpenVPN configuration will be restarted without any user interaction.
Deprecated features
-------------------
- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
Security
--------
- CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``.
Before this fix, it could allow an attacker to send a malformed packet to
trigger a stack overflow. This is considered to be a low risk issue, as
``--key-method 2`` has been the default since OpenVPN 2.0 (released on
2005-04-17). This option is already deprecated in v2.4 and will be
completely removed in v2.5.
Version 2.4.3 Version 2.4.3
============= =============
...@@ -630,7 +799,7 @@ Security ...@@ -630,7 +799,7 @@ Security
- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks - CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks
A client could cause a server to leak a few bytes each time it connects to the A client could cause a server to leak a few bytes each time it connects to the
server. That can eventuall cause the server to run out of memory, and thereby server. That can eventually cause the server to run out of memory, and thereby
causing the server process to terminate. Discovered and reported to the causing the server process to terminate. Discovered and reported to the
OpenVPN security team by Guido Vranken. (OpenSSL builds only.) OpenVPN security team by Guido Vranken. (OpenSSL builds only.)
...@@ -658,7 +827,7 @@ Security ...@@ -658,7 +827,7 @@ Security
are known. are known.
- Fix null-pointer dereference when talking to a malicious http proxy - Fix null-pointer dereference when talking to a malicious http proxy
that returns a malformed Proxy-Authenticate: headers for digest auth. that returns a malformed ``Proxy-Authenticate:`` headers for digest auth.
- Fix overflow check for long ``--tls-cipher`` option - Fix overflow check for long ``--tls-cipher`` option
...@@ -697,7 +866,7 @@ Bugfixes ...@@ -697,7 +866,7 @@ Bugfixes
- Fix TCP_NODELAY on OpenBSD - Fix TCP_NODELAY on OpenBSD
- Remove erroneous limitation on max number of args for --plugin - Remove erroneous limitation on max number of args for ``--plugin``
- Fix NCP behaviour on TLS reconnect (Server would not send a proper - Fix NCP behaviour on TLS reconnect (Server would not send a proper
"cipher ..." message back to the client, leading to client and server "cipher ..." message back to the client, leading to client and server
...@@ -733,12 +902,10 @@ Version 2.4.1 ...@@ -733,12 +902,10 @@ Version 2.4.1
- ``--remote-cert-ku`` now only requires the certificate to have at least the - ``--remote-cert-ku`` now only requires the certificate to have at least the
bits set of one of the values in the supplied list, instead of requiring an bits set of one of the values in the supplied list, instead of requiring an
exact match to one of the values in the list. exact match to one of the values in the list.
- ``--remote-cert-tls`` now only requires that a keyUsage is present in the - ``--remote-cert-tls`` now only requires that a keyUsage is present in the
certificate, and leaves the verification of the value up to the crypto certificate, and leaves the verification of the value up to the crypto
library, which has more information (i.e. the key exchange method in use) library, which has more information (i.e. the key exchange method in use)
to verify that the keyUsage is correct. to verify that the keyUsage is correct.
- ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead. - ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead.
The nsCertType x509 extension is very old, and barely used. The nsCertType x509 extension is very old, and barely used.
``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage
......
INSTALL
View file @ e1e1377b
...@@ -71,12 +71,13 @@ REQUIRES: ...@@ -71,12 +71,13 @@ REQUIRES:
(1) TUN and/or TAP driver to allow user-space programs to control (1) TUN and/or TAP driver to allow user-space programs to control
a virtual point-to-point IP or Ethernet device. See a virtual point-to-point IP or Ethernet device. See
TUN/TAP Driver Configuration section below for more info. TUN/TAP Driver Configuration section below for more info.
(2) OpenSSL library, necessary for encryption, version 1.0.2 or higher
OPTIONAL (but recommended):
(1) OpenSSL library, necessary for encryption, version 0.9.8 or higher
required, available from http://www.openssl.org/ required, available from http://www.openssl.org/
(2) mbed TLS library, an alternative for encryption, version 2.0 or higher or
(3) mbed TLS library, an alternative for encryption, version 2.0 or higher
required, available from https://tls.mbed.org/ required, available from https://tls.mbed.org/
OPTIONAL:
(3) LZO real-time compression library, required for link compression, (3) LZO real-time compression library, required for link compression,
available from http://www.oberhumer.com/opensource/lzo/ available from http://www.oberhumer.com/opensource/lzo/
OpenBSD users can use ports or packages to install lzo, but remember OpenBSD users can use ports or packages to install lzo, but remember
...@@ -145,7 +146,7 @@ make check (Run all tests below) ...@@ -145,7 +146,7 @@ make check (Run all tests below)
Test Crypto: Test Crypto:
./openvpn --genkey --secret key ./openvpn --genkey secret key
./openvpn --test-crypto --secret key ./openvpn --test-crypto --secret key
Test SSL/TLS negotiations (runs for 2 minutes): Test SSL/TLS negotiations (runs for 2 minutes):
...@@ -156,6 +157,20 @@ Test SSL/TLS negotiations (runs for 2 minutes): ...@@ -156,6 +157,20 @@ Test SSL/TLS negotiations (runs for 2 minutes):
For more thorough client-server tests you can configure your own, private test For more thorough client-server tests you can configure your own, private test
environment. See tests/t_client.rc-sample for details. environment. See tests/t_client.rc-sample for details.
To do the C unit tests, you need to have the "cmocka" test framework
installed on your system. More recent distributions already ship this
as part of their packages/ports. If your system does not have it,
you can install cmocka with these commands:
$ git clone https://git.cryptomilk.org/projects/cmocka.git
$ cd cmocka
$ mkdir build
$ cd build
$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Debug ..
$ make
$ sudo make install
************************************************************************* *************************************************************************
OPTIONS for ./configure: OPTIONS for ./configure:
...@@ -213,7 +228,6 @@ ENVIRONMENT for ./configure: ...@@ -213,7 +228,6 @@ ENVIRONMENT for ./configure:
ROUTE full path to route utility ROUTE full path to route utility
IPROUTE full path to ip utility IPROUTE full path to ip utility
NETSTAT path to netstat utility NETSTAT path to netstat utility
MAN2HTML path to man2html utility
GIT path to git utility GIT path to git utility
SYSTEMD_ASK_PASSWORD SYSTEMD_ASK_PASSWORD
path to systemd-ask-password utility path to systemd-ask-password utility
...@@ -221,6 +235,8 @@ ENVIRONMENT for ./configure: ...@@ -221,6 +235,8 @@ ENVIRONMENT for ./configure:
Path of systemd unit directory [default=LIBDIR/systemd/system] Path of systemd unit directory [default=LIBDIR/systemd/system]
TMPFILES_DIR TMPFILES_DIR
Path of tmpfiles directory [default=LIBDIR/tmpfiles.d] Path of tmpfiles directory [default=LIBDIR/tmpfiles.d]
RST2MAN Path to rst2man utility
RST2HTML Path to rst2html utility
ENVIRONMENT variables adjusting parameters related to dependencies ENVIRONMENT variables adjusting parameters related to dependencies
......
Makefile.am
View file @ e1e1377b
...@@ -5,8 +5,8 @@ ...@@ -5,8 +5,8 @@
# packet encryption, packet authentication, and # packet encryption, packet authentication, and
# packet compression. # packet compression.
# #
# Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> # Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
# Copyright (C) 2010 David Sommerseth <dazo@users.sourceforge.net> # Copyright (C) 2010-2022 David Sommerseth <dazo@eurephia.org>
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com> # Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
...@@ -23,9 +23,6 @@ ...@@ -23,9 +23,6 @@
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# This option prevents autoreconf from overriding our COPYING and
# INSTALL targets:
AUTOMAKE_OPTIONS = foreign 1.9
ACLOCAL_AMFLAGS = -I m4 ACLOCAL_AMFLAGS = -I m4
MAINTAINERCLEANFILES = \ MAINTAINERCLEANFILES = \
...@@ -46,18 +43,17 @@ EXTRA_DIST = \ ...@@ -46,18 +43,17 @@ EXTRA_DIST = \
contrib \ contrib \
debug debug
.PHONY: config-version.h .PHONY: config-version.h doxygen
if GIT_CHECKOUT if GIT_CHECKOUT
BUILT_SOURCES = \ BUILT_SOURCES = \
config-version.h config-version.h
endif endif
SUBDIRS = build distro include src sample doc vendor tests SUBDIRS = build distro include src sample doc tests
dist_doc_DATA = \ dist_doc_DATA = \
README \ README \
README.IPv6 \
README.mbedtls \ README.mbedtls \
Changes.rst \ Changes.rst \
COPYRIGHT.GPL \ COPYRIGHT.GPL \
...@@ -67,12 +63,8 @@ dist_noinst_DATA = \ ...@@ -67,12 +63,8 @@ dist_noinst_DATA = \
.gitignore \ .gitignore \
.gitattributes \ .gitattributes \
PORTS \ PORTS \
README.IPv6 TODO.IPv6 \
README.mbedtls \ README.mbedtls \
openvpn.sln \ openvpn.sln
msvc-env.bat \
msvc-dev.bat \
msvc-build.bat
dist_noinst_HEADERS = \ dist_noinst_HEADERS = \
config-msvc.h \ config-msvc.h \
...@@ -96,3 +88,6 @@ config-version.h: ...@@ -96,3 +88,6 @@ config-version.h:
else \ else \
rm -f config-version.h.tmp; \ rm -f config-version.h.tmp; \
fi fi
doxygen:
$(MAKE) -C doc/doxygen doxygen
Makefile.in deleted 100644 → 0
View file @ e3856827
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
#
# OpenVPN -- An application to securely tunnel IP networks
# over a single UDP port, with support for SSL/TLS-based
# session authentication and key exchange,
# packet encryption, packet authentication, and
# packet compression.
#
# Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
# Copyright (C) 2010 David Sommerseth <dazo@users.sourceforge.net>
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
$(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
$(am__configure_deps) $(dist_doc_DATA) $(dist_noinst_DATA) \
$(dist_noinst_HEADERS) $(am__DIST_COMMON)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = config.h $(top_builddir)/include/openvpn-plugin.h
CONFIG_CLEAN_FILES = version.sh
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
install-data-recursive install-dvi-recursive \
install-exec-recursive install-html-recursive \
install-info-recursive install-pdf-recursive \
install-ps-recursive install-recursive installcheck-recursive \
installdirs-recursive pdf-recursive ps-recursive \
tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(docdir)" "$(DESTDIR)$(rootdir)"
DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(root_DATA)
HEADERS = $(dist_noinst_HEADERS)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
am__recursive_targets = \
$(RECURSIVE_TARGETS) \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir distdir-am dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \
$(LISP)config.h.in
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
$(srcdir)/version.sh.in AUTHORS COPYING ChangeLog INSTALL NEWS \
README compile config.guess config.sub install-sh ltmain.sh \
missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
if test -d "$(distdir)"; then \
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -rf "$(distdir)" \
|| { sleep 5 && rm -rf "$(distdir)"; }; \
else :; fi
am__post_remove_distdir = $(am__remove_distdir)
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
sed_rest='s,^[^/]*/*,,'; \
sed_last='s,^.*/\([^/]*\)$$,\1,'; \
sed_butlast='s,/*[^/]*$$,,'; \
while test -n "$$dir1"; do \
first=`echo "$$dir1" | sed -e "$$sed_first"`; \
if test "$$first" != "."; then \
if test "$$first" = ".."; then \
dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
else \
first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
if test "$$first2" = "$$first"; then \
dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
else \
dir2="../$$dir2"; \
fi; \
dir0="$$dir0"/"$$first"; \
fi; \
fi; \
dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
done; \
reldir="$$dir2"
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
DIST_TARGETS = dist-gzip
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
distcleancheck_listfiles = find . -type f -print
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AS = @AS@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMAKE = @CMAKE@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DL_LIBS = @DL_LIBS@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GIT = @GIT@
GREP = @GREP@
IFCONFIG = @IFCONFIG@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
IPROUTE = @IPROUTE@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBPAM_CFLAGS = @LIBPAM_CFLAGS@
LIBPAM_LIBS = @LIBPAM_LIBS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
LZO_LIBS = @LZO_LIBS@
MAKEINFO = @MAKEINFO@
MAN2HTML = @MAN2HTML@
MANIFEST_TOOL = @MANIFEST_TOOL@
MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@
MBEDTLS_LIBS = @MBEDTLS_LIBS@
MKDIR_P = @MKDIR_P@
NETSTAT = @NETSTAT@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@
OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@
OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@
OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@
OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@
OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@
OPTIONAL_INOTIFY_CFLAGS = @OPTIONAL_INOTIFY_CFLAGS@
OPTIONAL_INOTIFY_LIBS = @OPTIONAL_INOTIFY_LIBS@
OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@
OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@
OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@
OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
P11KIT_CFLAGS = @P11KIT_CFLAGS@
P11KIT_LIBS = @P11KIT_LIBS@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@
PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
RC = @RC@
ROUTE = @ROUTE@
SED = @SED@
SELINUX_LIBS = @SELINUX_LIBS@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
TMPFILES_DIR = @TMPFILES_DIR@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
libsystemd_CFLAGS = @libsystemd_CFLAGS@
libsystemd_LIBS = @libsystemd_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sampledir = @sampledir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
# This option prevents autoreconf from overriding our COPYING and
# INSTALL targets:
AUTOMAKE_OPTIONS = foreign 1.9
ACLOCAL_AMFLAGS = -I m4
MAINTAINERCLEANFILES = \
config.log config.status \
$(srcdir)/Makefile.in \
$(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \
$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
$(srcdir)/m4/libtool.m4 $(srcdir)/m4/lt~obsolete.m4 \
$(srcdir)/m4/ltoptions.m4 $(srcdir)/m4/ltsugar.m4 \
$(srcdir)/m4/ltversion.m4 \
$(srcdir)/depcomp $(srcdir)/aclocal.m4 \
$(srcdir)/config.guess $(srcdir)/config.sub
CLEANFILES = \
config-version.h tests/t_client.sh
EXTRA_DIST = \
contrib \
debug
@GIT_CHECKOUT_TRUE@BUILT_SOURCES = \
@GIT_CHECKOUT_TRUE@ config-version.h
SUBDIRS = build distro include src sample doc vendor tests
dist_doc_DATA = \
README \
README.IPv6 \
README.mbedtls \
Changes.rst \
COPYRIGHT.GPL \
COPYING
dist_noinst_DATA = \
.gitignore \
.gitattributes \
PORTS \
README.IPv6 TODO.IPv6 \
README.mbedtls \
openvpn.sln \
msvc-env.bat \
msvc-dev.bat \
msvc-build.bat
dist_noinst_HEADERS = \
config-msvc.h \
config-msvc-version.h.in
@WIN32_TRUE@rootdir = $(prefix)
@WIN32_TRUE@root_DATA = version.sh
all: $(BUILT_SOURCES) config.h
$(MAKE) $(AM_MAKEFLAGS) all-recursive
.SUFFIXES:
am--refresh: Makefile
@:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \
$(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \
&& exit 0; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
echo ' $(SHELL) ./config.status'; \
$(SHELL) ./config.status;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
$(SHELL) ./config.status --recheck
$(top_srcdir)/configure: $(am__configure_deps)
$(am__cd) $(srcdir) && $(AUTOCONF)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
$(am__aclocal_m4_deps):
config.h: stamp-h1
@test -f $@ || rm -f stamp-h1
@test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1
stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
@rm -f stamp-h1
cd $(top_builddir) && $(SHELL) ./config.status config.h
$(srcdir)/config.h.in: $(am__configure_deps)
($(am__cd) $(top_srcdir) && $(AUTOHEADER))
rm -f stamp-h1
touch $@
distclean-hdr:
-rm -f config.h stamp-h1
version.sh: $(top_builddir)/config.status $(srcdir)/version.sh.in
cd $(top_builddir) && $(SHELL) ./config.status $@
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
distclean-libtool:
-rm -f libtool config.lt
install-dist_docDATA: $(dist_doc_DATA)
@$(NORMAL_INSTALL)
@list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
done
uninstall-dist_docDATA:
@$(NORMAL_UNINSTALL)
@list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
install-rootDATA: $(root_DATA)
@$(NORMAL_INSTALL)
@list='$(root_DATA)'; test -n "$(rootdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(rootdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(rootdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(rootdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(rootdir)" || exit $$?; \
done
uninstall-rootDATA:
@$(NORMAL_UNINSTALL)
@list='$(root_DATA)'; test -n "$(rootdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(rootdir)'; $(am__uninstall_files_from_dir)
# This directory's subdirectories are mostly independent; you can cd
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
# (1) if the variable is set in 'config.status', edit 'config.status'
# (which will cause the Makefiles to be regenerated when you run 'make');
# (2) otherwise, pass the desired values on the 'make' command line.
$(am__recursive_targets):
@fail=; \
if $(am__make_keepgoing); then \
failcom='fail=yes'; \
else \
failcom='exit 1'; \
fi; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done; \
if test "$$dot_seen" = "no"; then \
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-recursive
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
include_option=--etags-include; \
empty_fix=.; \
else \
include_option=--include; \
empty_fix=; \
fi; \
list='$(SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test ! -f $$subdir/TAGS || \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscope: cscope.files
test ! -s cscope.files \
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
clean-cscope:
-rm -f cscope.files
cscope.files: clean-cscope cscopelist
cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
$(am__remove_distdir)
test -d "$(distdir)" || mkdir "$(distdir)"
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
$(am__make_dryrun) \
|| test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
dir1=$$subdir; dir2="$(top_distdir)"; \
$(am__relativize); \
new_top_distdir=$$reldir; \
echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
($(am__cd) $$subdir && \
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$$new_top_distdir" \
distdir="$$new_distdir" \
am__remove_distdir=: \
am__skip_length_check=: \
am__skip_mode_fix=: \
distdir) \
|| exit 1; \
fi; \
done
-test -n "$(am__skip_mode_fix)" \
|| find "$(distdir)" -type d ! -perm -755 \
-exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
|| chmod -R a+r "$(distdir)"
dist-gzip: distdir
tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz
$(am__post_remove_distdir)
dist-bzip2: distdir
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
$(am__post_remove_distdir)
dist-lzip: distdir
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
$(am__post_remove_distdir)
dist-xz: distdir
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__post_remove_distdir)
dist-shar: distdir
@echo WARNING: "Support for shar distribution archives is" \
"deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz
$(am__post_remove_distdir)
dist-zip: distdir
-rm -f $(distdir).zip
zip -rq $(distdir).zip $(distdir)
$(am__post_remove_distdir)
dist dist-all:
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
$(am__post_remove_distdir)
# This target untars the dist file and tries a VPATH configuration. Then
# it guarantees that the distribution is self-contained by making another
# tarfile.
distcheck: dist
case '$(DIST_ARCHIVES)' in \
*.tar.gz*) \
eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\
*.tar.bz2*) \
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
*.tar.lz*) \
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
*.tar.xz*) \
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
*.tar.Z*) \
uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
*.shar.gz*) \
eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
*.zip*) \
unzip $(distdir).zip ;;\
esac
chmod -R a-w $(distdir)
chmod u+w $(distdir)
mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build/sub \
&& ../../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=../.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
&& $(MAKE) $(AM_MAKEFLAGS) install \
&& $(MAKE) $(AM_MAKEFLAGS) installcheck \
&& $(MAKE) $(AM_MAKEFLAGS) uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
distuninstallcheck \
&& chmod -R a-w "$$dc_install_base" \
&& ({ \
(cd ../.. && umask 077 && mkdir "$$dc_destdir") \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
} || { rm -rf "$$dc_destdir"; exit 1; }) \
&& rm -rf "$$dc_destdir" \
&& $(MAKE) $(AM_MAKEFLAGS) dist \
&& rm -rf $(DIST_ARCHIVES) \
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
&& cd "$$am__cwd" \
|| exit 1
$(am__post_remove_distdir)
@(echo "$(distdir) archives ready for distribution: "; \
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
distuninstallcheck:
@test -n '$(distuninstallcheck_dir)' || { \
echo 'ERROR: trying to run $@ with an empty' \
'$$(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
$(am__cd) '$(distuninstallcheck_dir)' || { \
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left after uninstall:" ; \
if test -n "$(DESTDIR)"; then \
echo " (check DESTDIR support)"; \
fi ; \
$(distuninstallcheck_listfiles) ; \
exit 1; } >&2
distcleancheck: distclean
@if test '$(srcdir)' = . ; then \
echo "ERROR: distcleancheck can only run from a VPATH build" ; \
exit 1 ; \
fi
@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left in build directory after distclean:" ; \
$(distcleancheck_listfiles) ; \
exit 1; } >&2
check-am: all-am
check: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) check-recursive
all-am: Makefile $(DATA) $(HEADERS) config.h
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(docdir)" "$(DESTDIR)$(rootdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-recursive
install-exec: install-exec-recursive
install-data: install-data-recursive
uninstall: uninstall-recursive
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-recursive
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
clean: clean-recursive
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -f Makefile
distclean-am: clean-am distclean-generic distclean-hdr \
distclean-libtool distclean-tags
dvi: dvi-recursive
dvi-am:
html: html-recursive
html-am:
info: info-recursive
info-am:
install-data-am: install-dist_docDATA install-rootDATA
install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am:
install-html: install-html-recursive
install-html-am:
install-info: install-info-recursive
install-info-am:
install-man:
install-pdf: install-pdf-recursive
install-pdf-am:
install-ps: install-ps-recursive
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -rf $(top_srcdir)/autom4te.cache
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-recursive
pdf-am:
ps: ps-recursive
ps-am:
uninstall-am: uninstall-dist_docDATA uninstall-rootDATA
.MAKE: $(am__recursive_targets) all check install install-am \
install-strip
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
am--refresh check check-am clean clean-cscope clean-generic \
clean-libtool cscope cscopelist-am ctags ctags-am dist \
dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
dist-xz dist-zip distcheck distclean distclean-generic \
distclean-hdr distclean-libtool distclean-tags distcleancheck \
distdir distuninstallcheck dvi dvi-am html html-am info \
info-am install install-am install-data install-data-am \
install-dist_docDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-rootDATA install-strip \
installcheck installcheck-am installdirs installdirs-am \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-am uninstall uninstall-am uninstall-dist_docDATA \
uninstall-rootDATA
.PRECIOUS: Makefile
.PHONY: config-version.h
config-version.h:
@CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \
CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \
CONFIGURE_GIT_REVISION="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --short=16 HEAD`"; \
echo "#define CONFIGURE_GIT_REVISION \"$${CONFIGURE_GIT_REVISION}\"" > config-version.h.tmp; \
echo "#define CONFIGURE_GIT_FLAGS \"$${CONFIGURE_GIT_CHFILES}$${CONFIGURE_GIT_UNCOMMITTED}\"" >> config-version.h.tmp
@if ! [ -f config-version.h ] || ! cmp -s config-version.h.tmp config-version.h; then \
echo "replacing config-version.h"; \
mv config-version.h.tmp config-version.h; \
else \
rm -f config-version.h.tmp; \
fi
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT: