diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2db90bcdecd..b259212351a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,7 +13,7 @@ jobs: - name: Install dependencies run: sudo apt update && sudo apt install -y uncrustify - name: Checkout OpenVPN - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: path: openvpn - name: Show uncrustify version @@ -27,7 +27,7 @@ jobs: - name: Show changes on standard output run: git diff working-directory: openvpn - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: uncrustify-changes.patch path: 'openvpn/uncrustify-changes.patch' @@ -39,140 +39,75 @@ jobs: strategy: fail-fast: false matrix: - osslver: [1.1.1q, 3.0.5] - target: [mingw64, mingw] - include: - - target: mingw64 - chost: x86_64-w64-mingw32 - - target: mingw - chost: i686-w64-mingw32 + arch: [x86, x64] - name: "gcc-mingw - ${{matrix.target}} - OSSL ${{ matrix.osslver }}" + name: "gcc-mingw - ${{ matrix.arch }} - OSSL" runs-on: ubuntu-22.04 env: - MAKEFLAGS: -j3 - LZO_VERSION: "2.10" - PKCS11_HELPER_VERSION: "1.29.0" - OPENSSL_VERSION: "${{ matrix.osslver }}" - TAP_WINDOWS_VERSION: "9.23.3" + VCPKG_ROOT: ${{ github.workspace }}/vcpkg steps: - name: Install dependencies - run: sudo apt update && sudo apt install -y mingw-w64 libtool automake autoconf man2html unzip + run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake ninja-build build-essential wget python3-docutils man2html-base - name: Checkout OpenVPN - uses: actions/checkout@v3 - with: - path: openvpn - - - name: autoconf - run: autoreconf -fvi - working-directory: openvpn + uses: actions/checkout@v4 - - name: Cache dependencies - id: cache - uses: actions/cache@v3 + - name: Restore from cache and install vcpkg + uses: lukka/run-vcpkg@v11 with: - path: '~/mingw/' - key: ${{ matrix.target }}-mingw-${{ matrix.osslver }}-${{ env.LZO_VERSION }}-${{ env.PKCS11_HELPER_VERSION }}-${{ env.TAP_WINDOWS_VERSION }} - - # Repeating if: steps.cache.outputs.cache-hit != 'true' - # on every step for building dependencies is ugly but - # I haven't found a better solution so far. - - - name: Download mingw dependencies - if: steps.cache.outputs.cache-hit != 'true' - run: | - wget -c -P download-cache/ "https://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip" - wget -c -P download-cache/ "https://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz" - wget -c -P download-cache/ "https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${PKCS11_HELPER_VERSION}/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2" - tar jxf "download-cache/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2" - wget -c -P download-cache/ "https://www.openssl.org/source/old/1.1.1/openssl-${OPENSSL_VERSION}.tar.gz" || wget -c -P download-cache/ "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" - tar zxf "download-cache/openssl-${OPENSSL_VERSION}.tar.gz" - tar zxf "download-cache/lzo-${LZO_VERSION}.tar.gz" - unzip download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip - - - name: Configure OpenSSL - if: steps.cache.outputs.cache-hit != 'true' - run: ./Configure --cross-compile-prefix=${{ matrix.chost }}- shared ${{ matrix.target }} no-capieng --prefix="${HOME}/mingw/opt" --openssldir="${HOME}/mingw/opt" -static-libgcc - working-directory: "./openssl-${{ env.OPENSSL_VERSION }}" - - - name: Build OpenSSL - if: steps.cache.outputs.cache-hit != 'true' - run: make - working-directory: "./openssl-${{ env.OPENSSL_VERSION }}" - - # OpenSSL 3.0.5 installs itself into mingw/opt/lib64 instead of - # mingw/opt/lib, so we include both dirs in the following steps - # (pkcs11-helper and OpenVPN) so the libraries will be found - - name: Install OpenSSL - if: steps.cache.outputs.cache-hit != 'true' - run: make install - working-directory: "./openssl-${{ env.OPENSSL_VERSION }}" - - - name: autoreconf pkcs11-helper - if: steps.cache.outputs.cache-hit != 'true' - run: autoreconf -iv - working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}" - - - name: configure pkcs11-helper - if: steps.cache.outputs.cache-hit != 'true' - run: OPENSSL_LIBS="-L${HOME}/mingw/opt/lib -L${HOME}/mingw/opt/lib64 -lssl -lcrypto" OPENSSL_CFLAGS=-I$HOME/mingw/opt/include PKG_CONFIG_PATH=${HOME}/mingw/opt/lib/pkgconfig ./configure --host=${{ matrix.chost }} --program-prefix='' --libdir=${HOME}/mingw/opt/lib --prefix=${HOME}/mingw/opt --build=x86_64-pc-linux-gnu --disable-crypto-engine-gnutls --disable-crypto-engine-nss --disable-crypto-engine-polarssl --disable-crypto-engine-mbedtls - working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}" + vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e + vcpkgJsonGlob: '**/mingw/vcpkg.json' - - name: build pkcs11-helper - if: steps.cache.outputs.cache-hit != 'true' - run: make all - working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}" - - - name: install pkcs11-helper - if: steps.cache.outputs.cache-hit != 'true' - run: make install - working-directory: "./pkcs11-helper-${{ env.PKCS11_HELPER_VERSION }}" - - - name: Configure lzo - if: steps.cache.outputs.cache-hit != 'true' - run: ./configure --host=${{ matrix.chost }} --program-prefix='' --libdir=${HOME}/mingw/opt/lib --prefix=${HOME}/mingw/opt --build=x86_64-pc-linux-gnu - working-directory: "./lzo-${{ env.LZO_VERSION }}" - - - name: build lzo - if: steps.cache.outputs.cache-hit != 'true' - working-directory: "./lzo-${{ env.LZO_VERSION }}" - run: make + - name: Run CMake with vcpkg.json manifest + uses: lukka/run-cmake@v10 + with: + configurePreset: mingw-${{ matrix.arch }} + buildPreset: mingw-${{ matrix.arch }} + buildPresetAdditionalArgs: "['--config Debug']" - - name: install lzo - if: steps.cache.outputs.cache-hit != 'true' - working-directory: "./lzo-${{ env.LZO_VERSION }}" - run: make install + - uses: actions/upload-artifact@v4 + with: + name: openvpn-mingw-${{ matrix.arch }} + path: | + ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/*.exe + ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/*.dll + !${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/test_*.exe - - name: copy tap-windows.h header - if: steps.cache.outputs.cache-hit != 'true' - run: cp ./tap-windows-${TAP_WINDOWS_VERSION}/include/tap-windows.h ${HOME}/mingw/opt/include/ + - uses: actions/upload-artifact@v4 + with: + name: openvpn-mingw-${{ matrix.arch }}-tests + path: | + ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/test_*.exe + ${{ github.workspace }}/out/build/mingw/${{ matrix.arch }}/Debug/*.dll - - name: configure OpenVPN - run: PKG_CONFIG_PATH=${HOME}/mingw/opt/lib/pkgconfig LDFLAGS=-L$HOME/mingw/opt/lib CFLAGS=-I$HOME/mingw/opt/include OPENSSL_LIBS="-L${HOME}/opt/lib -L$HOME/mingw/opt/lib64 -lssl -lcrypto" OPENSSL_CFLAGS=-I$HOME/mingw/opt/include PREFIX=$HOME/mingw/opt LZO_CFLAGS=-I$HOME/mingw/opt/include LZO_LIBS="-L${HOME}/mingw/opt/lib -llzo2" ./configure --host=${{ matrix.chost }} --disable-lz4 - working-directory: openvpn + mingw-unittest: + needs: [ mingw ] + strategy: + fail-fast: false + matrix: + arch: [x86, x64] + test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, packet_id, pkt, provider, tls_crypt] - - name: build OpenVPN - run: make -j3 - working-directory: openvpn + runs-on: windows-latest + name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL" + steps: + - name: Retrieve mingw unittest + uses: actions/download-artifact@v4 + with: + name: openvpn-mingw-${{ matrix.arch }}-tests + path: unittests + - name: Run ${{ matrix.test }} unit test + run: ./unittests/test_${{ matrix.test }}.exe ubuntu: strategy: fail-fast: false matrix: - os: [ubuntu-18.04, ubuntu-20.04, ubuntu-22.04] + os: [ubuntu-20.04, ubuntu-22.04] sslpkg: [libmbedtls-dev] ssllib: [mbedtls] libname: [mbed TLS] include: - - os: ubuntu-18.04 - sslpkg: "libssl1.0-dev" - ssllib: openssl - libname: OpenSSL 1.0.2 - - os: ubuntu-18.04 - sslpkg: "libssl-dev" - libname: OpenSSL 1.1.1 - ssllib: openssl - os: ubuntu-20.04 sslpkg: "libssl-dev" libname: OpenSSL 1.1.1 @@ -206,24 +141,17 @@ jobs: libname: OpenSSL 1.1.1 ssllib: openssl extraconf: "--disable-lzo --disable-lz4" - - os: ubuntu-20.04 - sslpkg: "libssl-dev" - libname: OpenSSL 1.1.1 - ssllib: openssl - extraconf: "--enable-dco" - nlpkg: "libnl-genl-3-dev" name: "gcc - ${{matrix.os}} - ${{matrix.libname}} ${{matrix.extraconf}}" env: SSLPKG: "${{matrix.sslpkg}}" - NLPKG: "${{matrix.nlpkg}}" runs-on: ${{matrix.os}} steps: - name: Install dependencies - run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} ${NLPKG} + run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} - name: Checkout OpenVPN - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -242,12 +170,15 @@ jobs: name: "clang-asan - ${{matrix.os}} - ${{matrix.ssllib}}" + env: + UBSAN_OPTIONS: print_stacktrace=1 + runs-on: ${{matrix.os}} steps: - name: Install dependencies - run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev + run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev - name: Checkout OpenVPN - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -291,11 +222,12 @@ jobs: LDFLAGS: ${{ matrix.ldflags }} OPENSSL_CFLAGS: "-I/usr/local/opt/${{matrix.libdir}}/include" OPENSSL_LIBS: "-L/usr/local/opt/${{matrix.libdir}}/lib -lcrypto -lssl" + UBSAN_OPTIONS: print_stacktrace=1 steps: - name: Install dependencies run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf libressl - name: Checkout OpenVPN - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure @@ -309,72 +241,50 @@ jobs: strategy: fail-fast: false matrix: - plat: [ARM64, Win32, x64] - include: - - plat: ARM64 - triplet: arm64 - - plat: Win32 - triplet: x86 - - plat: x64 - triplet: x64 + arch: [amd64, x86, arm64] - name: "msbuild - ${{matrix.triplet}} - openssl" + name: "msbuild - ${{ matrix.arch }} - openssl" env: BUILD_CONFIGURATION: Release - VCPKG_OVERLAY_PORTS: ${{ github.workspace }}/contrib/vcpkg-ports - VCPKG_OVERLAY_TRIPLETS: ${{ github.workspace }}/contrib/vcpkg-triplets runs-on: windows-latest steps: - - uses: actions/checkout@v3 - - - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v1.1 - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.x' + - uses: actions/checkout@v4 + - uses: lukka/get-cmake@latest - name: Install rst2html - run: python -m pip install --upgrade pip rst2html + run: python -m pip install --upgrade pip docutils - name: Restore artifacts, or setup vcpkg (do not install any package) - uses: lukka/run-vcpkg@v10 + uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: 'cafd398be781144787573ca78390e951673c7055' - appendedCacheKey: '${{matrix.triplet}}' + vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e + vcpkgJsonGlob: '**/windows/vcpkg.json' - - name: Run MSBuild consuming vcpkg.json - working-directory: ${{env.GITHUB_WORKSPACE}} - run: | - # workaround for GHA runner bug where vcpkg installation is detected at c:\vcpkg - # see https://github.com/lukka/run-vcpkg/issues/170 - ${{ github.workspace }}/vcpkg/vcpkg.exe integrate install - msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform="${{ matrix.plat }}" . - - - name: Archive artifacts - uses: actions/upload-artifact@v3 + - name: Run CMake with vcpkg.json manifest (NO TESTS) + uses: lukka/run-cmake@v10 + if: ${{ matrix.arch == 'arm64' }} with: - name: artifacts-${{ matrix.plat }} - path: | - ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.exe - ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.dll - ${{ matrix.plat }}-Output/${{env.BUILD_CONFIGURATION}}/*.pdb - doc/openvpn.8.html + configurePreset: win-${{ matrix.arch }}-release + buildPreset: win-${{ matrix.arch }}-release - trigger_openvpn_build: - runs-on: windows-latest - needs: [checkuncrustify, mingw, ubuntu, ubuntu-clang-asan, macos, msvc] - if: ${{ github.event_name != 'pull_request' && github.repository == 'openvpn/openvpn' && github.ref == 'refs/heads/master' }} + - name: Run CMake with vcpkg.json manifest + uses: lukka/run-cmake@v10 + if: ${{ matrix.arch != 'arm64' }} + with: + configurePreset: win-${{ matrix.arch }}-release + buildPreset: win-${{ matrix.arch }}-release + testPreset: win-${{ matrix.arch }}-release - steps: - - name: Repository Dispatch - uses: peter-evans/repository-dispatch@v2 - with: - token: ${{ secrets.OPENVPN_BUILD_REPO_DISPATCH }} - repository: openvpn/openvpn-build - event-type: openvpn-commit + - uses: actions/upload-artifact@v4 + with: + name: openvpn-msvc-${{ matrix.arch }} + path: | + ${{ github.workspace }}/out/**/*.exe + ${{ github.workspace }}/out/**/*.dll + !${{ github.workspace }}/out/**/test_*.exe + !${{ github.workspace }}/out/**/CMakeFiles/** + !${{ github.workspace }}/out/**/vcpkg_installed/** libressl: strategy: @@ -400,24 +310,22 @@ jobs: CFLAGS: ${{ matrix.cflags }} LDFLAGS: ${{ matrix.ldflags }} CC: ${{matrix.cc}} + UBSAN_OPTIONS: print_stacktrace=1 steps: - name: Install dependencies - run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf pkg-config libcap-ng-dev + run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils libtool automake autoconf pkg-config libcap-ng-dev libnl-genl-3-dev - name: "libressl: checkout" - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: path: libressl - repository: libressl-portable/portable - ref: v3.5.3 + repository: libressl/portable + ref: v3.8.3 - name: "libressl: autogen.sh" run: ./autogen.sh working-directory: libressl - - name: "libressl: autoconf" - run: autoreconf -fvi - working-directory: libressl - name: "libressl: configure" - run: ./configure --enable-openvpn + run: ./configure working-directory: libressl - name: "libressl: make all" run: make -j3 @@ -428,7 +336,7 @@ jobs: - name: "ldconfig" run: sudo ldconfig - name: Checkout OpenVPN - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: autoconf run: autoreconf -fvi - name: configure diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml new file mode 100644 index 00000000000..e289746daa5 --- /dev/null +++ b/.github/workflows/coverity-scan.yml @@ -0,0 +1,69 @@ +name: coverity-scan +on: + schedule: + - cron: '0 20 * * *' # Daily at 20:00 UTC + workflow_dispatch: + +jobs: + latest: + runs-on: ubuntu-latest + steps: + - name: Check submission cache + id: check_submit + uses: actions/cache/restore@v4 + with: + path: | + cov-int + key: check-submit-${{ github.sha }} + + - name: Install dependencies + if: steps.check_submit.outputs.cache-hit != 'true' + run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf libssl-dev libpkcs11-helper1-dev softhsm2 gnutls-bin + + - name: Checkout OpenVPN + if: steps.check_submit.outputs.cache-hit != 'true' + uses: actions/checkout@v4 + + - name: Download Coverity Build Tool + if: steps.check_submit.outputs.cache-hit != 'true' + run: | + wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=OpenVPN%2Fopenvpn" -O cov-analysis-linux64.tar.gz + mkdir cov-analysis-linux64 + tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + + - name: autoconf + if: steps.check_submit.outputs.cache-hit != 'true' + run: autoreconf -fvi + - name: configure + if: steps.check_submit.outputs.cache-hit != 'true' + run: ./configure --enable-pkcs11 + + - name: Build with cov-build + if: steps.check_submit.outputs.cache-hit != 'true' + run: | + PATH=`pwd`/cov-analysis-linux64/bin:$PATH + cov-build --dir cov-int make + + - name: Submit the result to Coverity Scan + if: steps.check_submit.outputs.cache-hit != 'true' + run: | + tar czvf openvpn.tgz cov-int + curl --form token=$TOKEN \ + --form email=$EMAIL \ + --form file=@openvpn.tgz \ + --form version="$GITHUB_SHA" \ + --form description="master" \ + https://scan.coverity.com/builds?project=OpenVPN%2Fopenvpn + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} + + - name: Cache submission + if: steps.check_submit.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: | + cov-int + key: ${{ steps.check_submit.outputs.cache-primary-key }} diff --git a/.gitignore b/.gitignore index 813413feca3..6217c1de2c1 100644 --- a/.gitignore +++ b/.gitignore @@ -10,13 +10,8 @@ *.idb *.suo *.ncb -*.vcproj.* -*.vcxproj.user -*.sln.cache *.log -Release -Debug -Win32-Output +out .vs .deps .libs @@ -44,12 +39,8 @@ m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 -vcpkg_installed version.sh -msvc-env-local.bat -config-msvc-local.h -config-msvc-version.h doc/openvpn-examples.5 doc/openvpn-examples.5.html doc/openvpn.8 @@ -61,17 +52,12 @@ distro/systemd/*.service sample/sample-keys/sample-ca/ vendor/cmocka_build vendor/dist -build/msvc/msvc-generate/version.m4 tests/t_client.sh tests/t_client-*-20??????-??????/ t_client.rc t_client_ips.rc tests/unit_tests/**/*_testdriver -tests/unit_tests/engine-key/client.key -tests/unit_tests/engine-key/log.txt -tests/unit_tests/engine-key/openssl.cnf -tests/unit_tests/engine-key/passwd src/openvpn/openvpn include/openvpn-plugin.h diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 2d379c70080..00000000000 --- a/.travis.yml +++ /dev/null @@ -1,126 +0,0 @@ -dist: bionic - -os: linux - -language: c - -env: - global: - - JOBS=3 - - RUN_SUDO="false" - - PREFIX="${HOME}/opt" - - TAP_WINDOWS_VERSION=9.23.3 - - LZO_VERSION=2.10 - - PKCS11_HELPER_VERSION=1.26 - - MBEDTLS_VERSION=2.16.4 - - MBEDTLS_CFLAGS="-I${PREFIX}/include" - - MBEDTLS_LIBS="-L${PREFIX}/lib -lmbedtls -lmbedx509 -lmbedcrypto" - - OPENSSL_VERSION=1.0.2u - - OPENSSL_CFLAGS="-I${PREFIX}/include" - - OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto" - # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created - # via the "travis encrypt" command using the project repo's public key - - secure: "l9mSnEW4LJqjxftH5i1NdDaYfGmQB1mPXnSB3DXnsjzkCWZ+yJLfBemfQ0tx/wS7chBYxqUaUIMT0hw4zJVp/LANFJo2vfh//ymTS6h0uApRY1ofg9Pp1BFcV1laG6/u8pwSZ2EBy/GhCd3DS436oE8sYBRaFM9FU62L/oeQBfJ7r4ID/0eB1b8bqlbD4paty9MHui2P8EZJwR+KAD84prtfpZOcrSMxPh9OUhJxzxUvvVoP4s4+lZ5Kgg1bBQ3yzKGDqe8VOgK2BWCEuezqhMMc8oeKmAe7CUkoz5gsGYH++k3I9XzP9Z4xeJKoQnC/82qi4xkJmlaOxdionej9bHIcjfRt7D8j1J0U+wOj4p8VrDy7yHaxuN2fi0K5MGa/CaXQSrkna8dePniCng+xQ2MY/zxuRX2gA6xPNLUyQLU9LqIug7wj4z84Hk9iWib4L20MoPjeEo+vAUNq8FtjOPxMuHNpv4iGGx6kgJm7RXl5vC5hxfK6MprrnYe2U5Mcd8jpzagKBaKHL3zV2FxX9k0jRO9Mccz7M2WnaV0MQ6zcngzTN4+s0kCjhfGKd2F2ANT2Gkhj3Me36eNHfuE0dBbvYCMh4b3Mgd7b/OuXwQWdJ8PjJ1WHXjSOw5sHw1suaV6cEO2Meyz5j1tOkyOi0M9QF+LFenQ9vLH4sBCww8U=" - -jobs: - include: - - name: cl - env: - - SSLLIB="openssl" - - OPENSSL_VERSION="1.1.1d" - - P7Z="c:\Program Files\7-Zip\7z.exe" - - CC="cl" - os: windows - compiler: cl - - name: Coverity scan - env: SSLLIB="openssl" RUN_COVERITY="1" - os: linux - compiler: gcc - - name: gcc | openssl-1.1.1d - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d" - os: linux - arch: amd64 - compiler: gcc - - name: gcc | openssl-1.1.1d - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d" - os: linux - arch: ppc64le - compiler: gcc - - name: gcc | openssl-1.1.1d - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d" - os: linux - arch: arm64 - compiler: gcc - - name: gcc | openssl-1.1.1d - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d" - os: linux - arch: s390x - compiler: gcc - - name: gcc | openssl-1.0.2u | iproute2 - env: SSLLIB="openssl" EXTRA_CONFIG="--enable-iproute2" - os: linux - compiler: gcc - - name: clang+asan | openssl-1.0.2u - env: SSLLIB="openssl" CFLAGS="-fsanitize=address" CC=clang-9 - os: linux - compiler: clang - - name: clang | openssl-1.1.1d - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d" CC=clang-9 - os: linux - compiler: clang - - name: gcc | mbedtls - env: SSLLIB="mbedtls" - os: linux - compiler: gcc - - name: clang+asan | mbedtls - env: SSLLIB="mbedtls" CFLAGS="-fsanitize=address" CC=clang-9 - os: linux - compiler: clang - - name: clang | openssl-1.0.2u - env: SSLLIB="openssl" - os: osx - compiler: clang - - name: clang | mbedtls - env: SSLLIB="mbedtls" - os: osx - compiler: clang - - name: mingw64 | openssl-1.1.1d - env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.1.1d" - os: linux - compiler: ": Win64 build only" - - name: mingw32 | openssl-1.0.2u - env: SSLLIB="openssl" CHOST=i686-w64-mingw32 - os: linux - compiler: ": Win32 build only" - - name: clang | openssl-1.0.2u | disable-lzo | distcheck - env: SSLLIB="openssl" EXTRA_CONFIG="--disable-lzo" EXTRA_SCRIPT="make distcheck" CC=clang-9 - os: linux - compiler: clang - - name: clang | openssl-1.0.2u | enable-small - env: SSLLIB="openssl" EXTRA_CONFIG="--enable-small" CC=clang-9 - os: linux - compiler: clang - -addons: - apt: - update: true - packages: [ liblzo2-dev, libpam0g-dev, liblz4-dev, linux-libc-dev, man2html, mingw-w64, clang-9, libcmocka-dev, python3-docutils ] - homebrew: - update: true - packages: [ lzo, lz4, cmocka ] - -cache: - directories: - - download-cache - - ${HOME}/opt - - ${HOME}/Library/Caches/Homebrew - -install: - - if [ ! -z "${CHOST}" ]; then unset CC; fi - - travis_wait 30 bash -c '.travis/build-deps.sh > build-deps.log 2>&1' || (cat build-deps.log && exit 1) - -before_script: - - .travis/coverity.sh - -script: - - .travis/build-check.sh diff --git a/.travis/build-check.sh b/.travis/build-check.sh deleted file mode 100755 index 4e1b724348c..00000000000 --- a/.travis/build-check.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -set -eux - -if [ "${TRAVIS_OS_NAME}" = "windows" ]; then - PATH="/c/Program Files (x86)/Microsoft Visual Studio/2019/BuildTools/MSBuild/Current/Bin/":$PATH - MSBuild.exe openvpn.sln //p:Platform=x64 && exit 0 -fi - -autoreconf -vi - -if [ -z ${CHOST+x} ]; then - if [ "${TRAVIS_OS_NAME}" = "linux" ]; then - export EXTRA_CONFIG="${EXTRA_CONFIG:-} --enable-werror" - fi - ./configure --with-crypto-library="${SSLLIB}" ${EXTRA_CONFIG:-} || (cat config.log && exit 1) - make LDFLAGS="-Wl,-rpath,${PREFIX}/lib" -j$JOBS - src/openvpn/openvpn --version || true - if [ "${TRAVIS_OS_NAME}" = "linux" ]; then - ldd src/openvpn/openvpn; - fi - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L src/openvpn/openvpn; fi - make check - ${EXTRA_SCRIPT:-} -else - export TAP_CFLAGS="-I${PWD}/tap-windows-${TAP_WINDOWS_VERSION}/include" - export LZO_CFLAGS="-I${PREFIX}/include" - export LZO_LIBS="-L${PREFIX}/lib -llzo2" - export PKCS11_HELPER_LIBS="-L${PREFIX}/lib -lpkcs11-helper" - export PKCS11_HELPER_CFLAGS="-I${PREFIX}/include" - ./configure --with-crypto-library="${SSLLIB}" --host=${CHOST} --build=x86_64-pc-linux-gnu --enable-pkcs11 --disable-plugins || (cat config.log && exit 1) - make -j${JOBS} -fi diff --git a/.travis/build-deps.sh b/.travis/build-deps.sh deleted file mode 100755 index 61673441db0..00000000000 --- a/.travis/build-deps.sh +++ /dev/null @@ -1,170 +0,0 @@ -#!/bin/sh -set -eux - -if [ "${TRAVIS_OS_NAME}" = "windows" ]; then - choco install strawberryperl nasm - choco install visualstudio2019buildtools --package-parameters "--includeRecommended --includeOptional" - choco install visualstudio2019-workload-vctools - cd .. - git clone https://github.com/openvpn/openvpn-build.git - cd openvpn-build - PATH="/c/Strawberry/perl/bin:":$PATH MODE=DEPS msvc/build.bat - exit 0 -fi - -# Set defaults -PREFIX="${PREFIX:-${HOME}/opt}" - -download_tap_windows () { - if [ ! -f "download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip" ]; then - wget -P download-cache/ \ - "https://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip" - fi -} - -download_lzo () { - if [ ! -f "download-cache/lzo-${LZO_VERSION}.tar.gz" ]; then - wget -P download-cache/ \ - "https://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz" - fi -} - -build_lzo () { - if [ "$(cat ${PREFIX}/.lzo-version)" != "${LZO_VERSION}" ]; then - tar zxf download-cache/lzo-${LZO_VERSION}.tar.gz - ( - cd "lzo-${LZO_VERSION}" - - ./configure --host=${CHOST} --program-prefix='' \ - --libdir=${PREFIX}/lib --prefix=${PREFIX} --build=x86_64-pc-linux-gnu - make all install - ) - echo "${LZO_VERSION}" > "${PREFIX}/.lzo-version" - fi -} - -download_pkcs11_helper () { - if [ ! -f "pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.gz" ]; then - wget -P download-cache/ \ - "https://github.com/OpenSC/pkcs11-helper/archive/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.gz" - fi -} - -build_pkcs11_helper () { - if [ "$(cat ${PREFIX}/.pkcs11_helper-version)" != "${PKCS11_HELPER_VERSION}" ]; then - tar xf download-cache/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.gz - ( - cd "pkcs11-helper-pkcs11-helper-${PKCS11_HELPER_VERSION}" - - autoreconf -iv - - ./configure --host=${CHOST} --program-prefix='' --libdir=${PREFIX}/lib \ - --prefix=${PREFIX} --build=x86_64-pc-linux-gnu \ - --disable-crypto-engine-gnutls \ - --disable-crypto-engine-nss \ - --disable-crypto-engine-polarssl \ - --disable-crypto-engine-mbedtls - make all install - ) - echo "${PKCS11_HELPER_VERSION}" > "${PREFIX}/.pkcs11_helper-version" - fi -} - -download_mbedtls () { - if [ ! -f "download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz" ]; then - wget -P download-cache/ \ - "https://tls.mbed.org/download/mbedtls-${MBEDTLS_VERSION}-apache.tgz" - fi -} - -build_mbedtls () { - if [ "$(cat ${PREFIX}/.mbedtls-version)" != "${MBEDTLS_VERSION}" ]; then - tar zxf download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz - ( - cd "mbedtls-${MBEDTLS_VERSION}" - make - make install DESTDIR="${PREFIX}" - ) - echo "${MBEDTLS_VERSION}" > "${PREFIX}/.mbedtls-version" - fi -} - -download_openssl () { - if [ ! -f "download-cache/openssl-${OPENSSL_VERSION}.tar.gz" ]; then - MAJOR=`echo $OPENSSL_VERSION | sed -e 's/\([0-9.]*\).*/\1/'` - wget -P download-cache/ \ - "https://www.openssl.org/source/old/${MAJOR}/openssl-${OPENSSL_VERSION}.tar.gz" - fi -} - -build_openssl_linux () { - ( - cd "openssl-${OPENSSL_VERSION}/" - ./config shared --prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY - make all install_sw - ) -} - -build_openssl_osx () { - ( - cd "openssl-${OPENSSL_VERSION}/" - ./Configure darwin64-x86_64-cc shared \ - --prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY - make depend all install_sw - ) -} - -build_openssl_mingw () { - ( - cd "openssl-${OPENSSL_VERSION}/" - - if [ "${CHOST}" = "i686-w64-mingw32" ]; then - export TARGET=mingw - elif [ "${CHOST}" = "x86_64-w64-mingw32" ]; then - export TARGET=mingw64 - fi - - ./Configure --cross-compile-prefix=${CHOST}- shared \ - ${TARGET} no-capieng --prefix="${PREFIX}" --openssldir="${PREFIX}" -static-libgcc - make install - ) -} - -build_openssl () { - if [ "$(cat ${PREFIX}/.openssl-version)" != "${OPENSSL_VERSION}" ]; then - tar zxf "download-cache/openssl-${OPENSSL_VERSION}.tar.gz" - if [ ! -z ${CHOST+x} ]; then - build_openssl_mingw - elif [ "${TRAVIS_OS_NAME}" = "osx" ]; then - build_openssl_osx - elif [ "${TRAVIS_OS_NAME}" = "linux" ]; then - build_openssl_linux - fi - echo "${OPENSSL_VERSION}" > "${PREFIX}/.openssl-version" - fi -} - -# Download and build crypto lib -if [ "${SSLLIB}" = "openssl" ]; then - download_openssl - build_openssl -elif [ "${SSLLIB}" = "mbedtls" ]; then - download_mbedtls - build_mbedtls -else - echo "Invalid crypto lib: ${SSLLIB}" - exit 1 -fi - -# Download and build dependencies for mingw cross build -# dependencies are the same as in regular windows installer build -if [ ! -z ${CHOST+x} ]; then - download_tap_windows - unzip download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip - - download_lzo - build_lzo - - download_pkcs11_helper - build_pkcs11_helper -fi diff --git a/.travis/coverity.sh b/.travis/coverity.sh deleted file mode 100755 index 8bb40f48135..00000000000 --- a/.travis/coverity.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -set -eu - -RUN_COVERITY="${RUN_COVERITY:-0}" - -export COVERITY_SCAN_PROJECT_NAME="OpenVPN/openvpn" -export COVERITY_SCAN_BRANCH_PATTERN="release\/2.4" -export COVERITY_SCAN_NOTIFICATION_EMAIL="scan-reports@openvpn.net" -export COVERITY_SCAN_BUILD_COMMAND_PREPEND="autoreconf -vi && ./configure --enable-iproute2 && make clean" -export COVERITY_SCAN_BUILD_COMMAND="make" - -if [ "${RUN_COVERITY}" = "1" ]; then - # Ignore exit code, script exits with 1 if we're not on the right branch - curl -s "https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh" | bash || true -else - echo "Skipping coverity scan because \$RUN_COVERITY != \"1\"" -fi diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 00000000000..a91cd32a2e5 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,739 @@ +cmake_minimum_required(VERSION 3.12) +set(CMAKE_CONFIGURATION_TYPES "Release;Debug;ASAN") +project(openvpn) + +# This CMake file implements building OpenVPN with CMAKE +# +# Note that this is *NOT* the official way to build openvpn on anything +# other than Windows/mingw despite working on other platforms too. You will need +# to add -DUNSUPPORTED_BUILDS=true to build on non Windows platforms. +# +# This cmake also makes a few assertions like lzo, lz4 being used +# and OpenSSL having version 1.1.1+ and generally does not offer the same +# configurability like autoconf + +find_package(PkgConfig REQUIRED) +include(CheckSymbolExists) +include(CheckIncludeFiles) +include(CheckCCompilerFlag) +include(CheckLinkerFlag OPTIONAL) +include(CheckTypeSize) +include(CheckStructHasMember) +include(CTest) + +option(UNSUPPORTED_BUILDS "Allow unsupported builds" OFF) + +if (NOT WIN32 AND NOT ${UNSUPPORTED_BUILDS}) + message(FATAL_ERROR "Note: on Unix platform the official and supported build method is using autoconfig. CMake based build should be only used for Windows and internal testing/development.") +endif() + +if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/config.h") + message(FATAL_ERROR "The top level source directory has a config.h file. Note that you can't mix in-tree autoconfig builds with out-of-tree cmake builds.") +endif () + +option(MBED "BUILD with mbed" OFF) +option(WOLFSSL "BUILD with wolfSSL" OFF) +option(ENABLE_LZ4 "BUILD with lz4" ON) +option(ENABLE_LZO "BUILD with lzo" ON) +option(ENABLE_PKCS11 "BUILD with pkcs11-helper" ON) +option(USE_WERROR "Treat compiler warnings as errors (-Werror)" ON) + +set(PLUGIN_DIR /usr/local/lib/openvpn/plugins CACHE FILEPATH "Location of the plugin directory") + +# AddressSanitize - use CXX=clang++ CC=clang cmake -DCMAKE_BUILD_TYPE=asan to build with ASAN +set(CMAKE_C_FLAGS_ASAN + "-fsanitize=address,undefined -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" + CACHE STRING "Flags used by the C compiler during AddressSanitizer builds." + FORCE) +set(CMAKE_CXX_FLAGS_ASAN + "-fsanitize=address,undefined -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" + CACHE STRING "Flags used by the C++ compiler during AddressSanitizer builds." + FORCE) + +if (MSVC) + add_definitions(-D_CRT_SECURE_NO_WARNINGS -D_CRT_NONSTDC_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS) + if (USE_WERROR) + add_compile_options(/WX) + endif () + add_compile_options( + /MP + /W2 + /sdl + /Qspectre + /guard:cf + /FC + /ZH:SHA_256 + "$<$:/GL>" + "$<$:/Oi>" + "$<$:/Gy>" + "$<$:/Zi>" + ) + add_link_options( + /Brepro + "$<$:/LTCG:incremental>" + "$<$:/DEBUG:FULL>" + "$<$:/OPT:REF>" + "$<$:/OPT:ICF>" + ) + if (${CMAKE_GENERATOR_PLATFORM} STREQUAL "x64" OR ${CMAKE_GENERATOR_PLATFORM} STREQUAL "x86") + add_link_options("$<$:/CETCOMPAT>") + endif() +else () + set(CMAKE_C_FLAGS_RELEASE "-O2") + set(CMAKE_CXX_FLAGS_RELEASE "-O2") + set(CMAKE_C_FLAGS_DEBUG "-g -O1") + set(CMAKE_CXX_FLAGS_DEBUG "-g -O1") + add_compile_options(-Wall -Wuninitialized) + check_c_compiler_flag(-Wno-stringop-truncation NoStringOpTruncation) + + if (${NoStringOpTruncation}) + add_compile_options(-Wno-stringop-truncation) + endif() + # We are not ready for this + #add_compile_options(-Wconversion -Wno-sign-conversion -Wsign-compare) + if (USE_WERROR) + add_compile_options(-Werror) + endif () +endif () + +find_program(PYTHON NAMES python3 python) +execute_process( + COMMAND ${PYTHON} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/parse-version.m4.py ${CMAKE_CURRENT_SOURCE_DIR}/version.m4 + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + ) +include(${CMAKE_CURRENT_BINARY_DIR}/version.cmake) + +set(OPENVPN_VERSION_MAJOR ${PRODUCT_VERSION_MAJOR}) +set(OPENVPN_VERSION_MINOR ${PRODUCT_VERSION_MINOR}) +set(OPENVPN_VERSION_PATCH ${PRODUCT_VERSION_PATCH}) +set(OPENVPN_VERSION_RESOURCE ${PRODUCT_VERSION_RESOURCE}) + +set(CMAKE_C_STANDARD 99) + +# Set the various defines for config.h.cmake.in +if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") + set(TARGET_LINUX YES) + set(ENABLE_ASYNC_PUSH YES) + set(ENABLE_LINUXDCO YES) + set(ENABLE_SITNL YES) + set(HAVE_DECL_SO_MARK YES) + set(ENABLE_FEATURE_TUN_PERSIST 1) + set(HAVE_LINUX_TYPES_H 1) + set(ENABLE_DCO YES) + set(HAVE_CMSGHDR YES) +elseif (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD") + set(TARGET_FREEBSD YES) + set(ENABLE_DCO YES) + link_libraries(-lnv) +elseif (WIN32) + set(ENABLE_DCO YES) +elseif (APPLE) + set(TARGET_DARWIN YES) + set(HAVE_NET_IF_UTUN_H YES) +endif () + +if (UNIX) + set(PATH_SEPARATOR /) + set(ENABLE_PORT_SHARE YES) + set(HAVE_SA_FAMILY_T YES) +elseif (WIN32) + set(PATH_SEPARATOR \\\\) + set(TARGET_WIN32 YES) +endif () + +check_symbol_exists(chroot unistd.h HAVE_CHROOT) +check_symbol_exists(chdir unistd.h HAVE_CHDIR) +check_symbol_exists(dup unistd.h HAVE_DUP) +check_symbol_exists(dup2 unistd.h HAVE_DUP2) +check_symbol_exists(fork unistd.h HAVE_FORK) +check_symbol_exists(execve unistd.h HAVE_EXECVE) +check_symbol_exists(ftruncate unistd.h HAVE_FTRUNCATE) +check_symbol_exists(nice unistd.h HAVE_NICE) +check_symbol_exists(setgid unistd.h HAVE_SETGID) +check_symbol_exists(setuid unistd.h HAVE_SETUID) +check_symbol_exists(setsid unistd.h HAVE_SETSID) +check_symbol_exists(getpeereid unistd.h HAVE_GETPEEREID) + +check_symbol_exists(epoll_create sys/epoll.h HAVE_EPOLL_CREATE) + +check_symbol_exists(gettimeofday sys/time.h HAVE_GETTIMEOFDAY) +check_symbol_exists(basename libgen.h HAVE_BASENAME) +check_symbol_exists(chsize io.h HAVE_CHSIZE) +check_symbol_exists(daemon "unistd.h;stdlib.h" HAVE_DAEMON) +check_symbol_exists(dirname libgen.h HAVE_DIRNAME) +check_symbol_exists(getrlimit sys/resource.h HAVE_GETRLIMIT) +check_symbol_exists(mlockall sys/mman.h HAVE_MLOCKALL) + +check_symbol_exists(sendmsg sys/socket.h HAVE_SENDMSG) +check_symbol_exists(recvmsg sys/socket.h HAVE_RECVMSG) +check_symbol_exists(cmsghdr sys/socket.h HAVE_CMSGHDR) +check_symbol_exists(openlog syslog.h HAVE_OPENLOG) +check_symbol_exists(syslog syslog.h HAVE_SYSLOG) +check_symbol_exists(getgrnam grp.h HAVE_GETGRNAM) +check_symbol_exists(getpwnam pwd.h HAVE_GETPWNAM) +check_symbol_exists(getsockname sys/socket.h HAVE_GETSOCKNAME) + +# Some OS (e.g. FreeBSD) need some basic headers to allow +# including network headers +set(NETEXTRA sys/types.h) +check_include_files("${NETEXTRA};netinet/in.h" HAVE_NETINET_IN_H) + +if (HAVE_NETINET_IN_H) + list(APPEND NETEXTRA netinet/in.h) +endif () + +check_include_files("${NETEXTRA};netinet/in6.h" HAVE_NETINET_IN_H) +check_include_files(linux/if_tun.h HAVE_LINUX_IF_TUN_H) +check_include_files(linux/sockios.h HAVE_LINUX_SOCKIOS_H) +check_include_files(dlfcn.h HAVE_DLFCN_H) +check_include_files(fcntl.h HAVE_FCNTL_H) +check_include_files(dmalloc.h HAVE_DMALLOC_H) +check_include_files(err.h HAVE_ERR_H) +check_include_files(sys/epoll.h HAVE_SYS_EPOLL_H) +check_include_files(poll.h HAVE_POLL_H) +check_include_files(sys/socket.h HAVE_SYS_SOCKET_H) +check_include_files(sys/time.h HAVE_SYS_TIME_H) +check_include_files(netdb.h HAVE_NETDB_H) +check_include_files(unistd.h HAVE_UNISTD_H) +check_include_files(sys/un.h HAVE_SYS_UN_H) +check_include_files(libgen.h HAVE_LIBGEN_H) +check_include_files(net/if.h HAVE_NET_IF_H) +check_include_files("${NETEXTRA};netinet/ip.h" HAVE_NETINET_IP_H) +check_include_files(arpa/inet.h HAVE_ARPA_INET_H) +check_include_files(net/if_utun.h HAVE_NET_UTUN_H) +check_include_files(sys/ioctl.h HAVE_SYS_IOCTL_H) +check_include_files(sys/inotify.h HAVE_SYS_INOTIFY_H) +check_include_files("${NETEXTRA};sys/uio.h" HAVE_SYS_UIO_H) +check_include_files(syslog.h HAVE_SYSLOG_H) +check_include_files(sys/wait.h HAVE_SYS_WAIT_H) +check_include_files(grp.h HAVE_GRP_H) +check_include_files(pwd.h HAVE_PWD_H) +check_include_files(sys/mman.h HAVE_SYS_MMAN_H) + + +check_include_files("${NETEXTRA};resolv.h" HAVE_RESOLV_H) +check_include_files("${NETEXTRA};net/if_tun.h" HAVE_NET_IF_TUN_H) + +set(CMAKE_EXTRA_INCLUDE_FILES netinet/ip.h) +check_type_size("struct in_pktinfo" IN_PKTINFO) +check_struct_has_member("struct in_pktinfo" ipi_spec_dst netinet/ip.h HAVE_IPI_SPEC_DST) +check_type_size("struct msghdr" MSGHDR) +set(CMAKE_EXTRA_INCLUDE_FILES) + +find_program(IFCONFIG_PATH ifconfig) +find_program(IPROUTE_PATH ip) +find_program(ROUTE_PATH route) + +if (${ENABLE_LZ4}) + pkg_search_module(liblz4 liblz4 REQUIRED IMPORTED_TARGET) +endif () + +if (${ENABLE_LZO}) + pkg_search_module(lzo2 lzo2 REQUIRED IMPORTED_TARGET) +endif () + +if (${ENABLE_PKCS11}) + pkg_search_module(pkcs11-helper libpkcs11-helper-1 REQUIRED IMPORTED_TARGET) +endif () + +function(add_library_deps target) + if (${MBED}) + target_link_libraries(${target} -lmbedtls -lmbedx509 -lmbedcrypto) + elseif (${WOLFSSL}) + pkg_search_module(wolfssl wolfssl REQUIRED) + target_link_libraries(${target} PUBLIC ${wolfssl_LINK_LIBRARIES}) + target_include_directories(${target} PRIVATE ${wolfssl_INCLUDE_DIRS}/wolfssl) + else () + set(ENABLE_X509ALTUSERNAME YES) + + find_package(OpenSSL REQUIRED) + target_link_libraries(${target} PUBLIC OpenSSL::SSL OpenSSL::Crypto) + if (WIN32) + target_link_libraries(${target} PUBLIC + ws2_32.lib crypt32.lib fwpuclnt.lib iphlpapi.lib + wininet.lib setupapi.lib rpcrt4.lib wtsapi32.lib ncrypt.lib bcrypt.lib) + endif () + + endif () + + # optional dependencies + target_link_libraries(${target} PUBLIC + $ + $ + $ + ) + + if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") + pkg_search_module(libcapng REQUIRED libcap-ng IMPORTED_TARGET) + pkg_search_module(libnl REQUIRED libnl-genl-3.0 IMPORTED_TARGET) + + target_link_libraries(${target} PUBLIC PkgConfig::libcapng PkgConfig::libnl) + endif () + +endfunction() + +if (${MBED}) + set(ENABLE_CRYPTO_MBEDTLS YES) +elseif (${WOLFSSL}) + set(ENABLE_CRYPTO_OPENSSL YES) + set(ENABLE_CRYPTO_WOLFSSL YES) + set(ENABLE_X509ALTUSERNAME YES) +else () + set(ENABLE_CRYPTO_OPENSSL YES) + set(ENABLE_X509ALTUSERNAME YES) +endif () + +include_directories(${CMAKE_CURRENT_SOURCE_DIR} src/compat include) + +add_custom_command( + OUTPUT always_rebuild config-version.h + COMMAND ${PYTHON} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/git-version.py + ) +set(HAVE_CONFIG_VERSION_H YES) + +configure_file(config.h.cmake.in config.h) +configure_file(include/openvpn-plugin.h.in openvpn-plugin.h) +# TODO we should remove the need for this, and always include config.h +add_definitions(-DHAVE_CONFIG_H) + +include_directories(${CMAKE_CURRENT_BINARY_DIR}) + +add_subdirectory(doc) +add_subdirectory(src/openvpnmsica) +add_subdirectory(src/openvpnserv) +add_subdirectory(src/tapctl) + +set(SOURCE_FILES + ${CMAKE_CURRENT_BINARY_DIR}/config.h + ${CMAKE_CURRENT_BINARY_DIR}/config-version.h + ${CMAKE_CURRENT_BINARY_DIR}/openvpn-plugin.h + + src/compat/compat-basename.c + src/compat/compat-daemon.c + src/compat/compat-dirname.c + src/compat/compat-gettimeofday.c + src/compat/compat-strsep.c + src/openvpn/argv.c + src/openvpn/argv.h + src/openvpn/base64.c + src/openvpn/base64.h + src/openvpn/basic.h + src/openvpn/block_dns.h + src/openvpn/block_dns.c + src/openvpn/buffer.c + src/openvpn/buffer.h + src/openvpn/circ_list.h + src/openvpn/clinat.c + src/openvpn/clinat.h + src/openvpn/common.h + src/openvpn/comp-lz4.c + src/openvpn/comp-lz4.h + src/openvpn/comp.c + src/openvpn/comp.h + src/openvpn/compstub.c + src/openvpn/console.c + src/openvpn/console_builtin.c + src/openvpn/console.h + src/openvpn/crypto.c + src/openvpn/crypto.h + src/openvpn/crypto_backend.h + src/openvpn/crypto_openssl.c + src/openvpn/crypto_openssl.h + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_mbedtls.h + src/openvpn/cryptoapi.c + src/openvpn/cryptoapi.h + src/openvpn/dco.c + src/openvpn/dco.h + src/openvpn/dco_win.c + src/openvpn/dco_win.h + src/openvpn/dco_linux.c + src/openvpn/dco_linux.h + src/openvpn/dco_freebsd.c + src/openvpn/dco_freebsd.h + src/openvpn/dhcp.c + src/openvpn/dhcp.h + src/openvpn/dns.c + src/openvpn/dns.h + src/openvpn/errlevel.h + src/openvpn/env_set.c + src/openvpn/env_set.h + src/openvpn/error.c + src/openvpn/error.h + src/openvpn/event.c + src/openvpn/event.h + src/openvpn/fdmisc.c + src/openvpn/fdmisc.h + src/openvpn/forward.c + src/openvpn/forward.h + src/openvpn/fragment.c + src/openvpn/fragment.h + src/openvpn/gremlin.c + src/openvpn/gremlin.h + src/openvpn/helper.c + src/openvpn/helper.h + src/openvpn/httpdigest.c + src/openvpn/httpdigest.h + src/openvpn/init.c + src/openvpn/init.h + src/openvpn/integer.h + src/openvpn/interval.c + src/openvpn/interval.h + src/openvpn/list.c + src/openvpn/list.h + src/openvpn/lladdr.c + src/openvpn/lladdr.h + src/openvpn/lzo.c + src/openvpn/lzo.h + src/openvpn/manage.c + src/openvpn/manage.h + src/openvpn/mbuf.c + src/openvpn/mbuf.h + src/openvpn/memdbg.h + src/openvpn/misc.c + src/openvpn/misc.h + src/openvpn/mroute.c + src/openvpn/mroute.h + src/openvpn/mss.c + src/openvpn/mss.h + src/openvpn/mstats.c + src/openvpn/mstats.h + src/openvpn/mtcp.c + src/openvpn/mtcp.h + src/openvpn/mtu.c + src/openvpn/mtu.h + src/openvpn/mudp.c + src/openvpn/mudp.h + src/openvpn/multi.c + src/openvpn/multi.h + src/openvpn/ntlm.c + src/openvpn/ntlm.h + src/openvpn/occ.c + src/openvpn/occ.h + src/openvpn/openvpn.c + src/openvpn/openvpn.h + src/openvpn/openvpn_win32_resources.rc + src/openvpn/options.c + src/openvpn/options.h + src/openvpn/options_util.c + src/openvpn/options_util.h + src/openvpn/otime.c + src/openvpn/otime.h + src/openvpn/ovpn_dco_win.h + src/openvpn/packet_id.c + src/openvpn/packet_id.h + src/openvpn/perf.c + src/openvpn/perf.h + src/openvpn/ping.c + src/openvpn/ping.h + src/openvpn/pkcs11.c + src/openvpn/pkcs11.h + src/openvpn/pkcs11_backend.h + src/openvpn/pkcs11_openssl.c + src/openvpn/pkcs11_mbedtls.c + src/openvpn/platform.c + src/openvpn/platform.h + src/openvpn/plugin.c + src/openvpn/plugin.h + src/openvpn/pool.c + src/openvpn/pool.h + src/openvpn/proto.c + src/openvpn/proto.h + src/openvpn/proxy.c + src/openvpn/proxy.h + src/openvpn/ps.c + src/openvpn/ps.h + src/openvpn/push.c + src/openvpn/push.h + src/openvpn/pushlist.h + src/openvpn/reflect_filter.c + src/openvpn/reflect_filter.h + src/openvpn/reliable.c + src/openvpn/reliable.h + src/openvpn/route.c + src/openvpn/route.h + src/openvpn/run_command.c + src/openvpn/run_command.h + src/openvpn/schedule.c + src/openvpn/schedule.h + src/openvpn/session_id.c + src/openvpn/session_id.h + src/openvpn/shaper.c + src/openvpn/shaper.h + src/openvpn/sig.c + src/openvpn/sig.h + src/openvpn/socket.c + src/openvpn/socket.h + src/openvpn/socks.c + src/openvpn/socks.h + src/openvpn/ssl.c + src/openvpn/ssl.h + src/openvpn/ssl_backend.h + src/openvpn/ssl_common.h + src/openvpn/ssl_openssl.c + src/openvpn/ssl_openssl.h + src/openvpn/ssl_mbedtls.c + src/openvpn/ssl_mbedtls.h + src/openvpn/ssl_verify.c + src/openvpn/ssl_verify.h + src/openvpn/ssl_verify_backend.h + src/openvpn/ssl_verify_openssl.c + src/openvpn/ssl_verify_openssl.h + src/openvpn/ssl_verify_mbedtls.c + src/openvpn/ssl_verify_mbedtls.h + src/openvpn/status.c + src/openvpn/status.h + src/openvpn/syshead.h + src/openvpn/tls_crypt.c + src/openvpn/tun.c + src/openvpn/tun.h + src/openvpn/networking_sitnl.c + src/openvpn/networking_freebsd.c + src/openvpn/auth_token.c + src/openvpn/auth_token.h + src/openvpn/ssl_ncp.c + src/openvpn/ssl_ncp.h + src/openvpn/ssl_pkt.c + src/openvpn/ssl_pkt.h + src/openvpn/ssl_util.c + src/openvpn/ssl_util.h + src/openvpn/vlan.c + src/openvpn/vlan.h + src/openvpn/win32.c + src/openvpn/win32-util.c + src/openvpn/win32.h + src/openvpn/win32-util.h + src/openvpn/xkey_helper.c + src/openvpn/xkey_provider.c + ) + +add_executable(openvpn ${SOURCE_FILES}) + +add_library_deps(openvpn) + +if (MINGW) + target_compile_options(openvpn PRIVATE + -DWIN32_LEAN_AND_MEAN + -DNTDDI_VERSION=NTDDI_VISTA -D_WIN32_WINNT=_WIN32_WINNT_VISTA + ) + target_compile_options(openvpn PRIVATE -municode -UUNICODE) + target_link_options(openvpn PRIVATE -municode) +endif() + +if (MSVC) + # we have our own manifest + target_link_options(openvpn PRIVATE /MANIFEST:NO) +endif() + +if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") + target_link_libraries(openvpn PUBLIC -ldl) +endif () + +if (NOT WIN32) + target_compile_options(openvpn PRIVATE -DPLUGIN_LIBDIR=\"${PLUGIN_DIR}\") + + find_library(resolv resolv) + # some platform like BSDs already include resolver functionality in the libc and not have an extra resolv library + if (${resolv} OR APPLE) + target_link_libraries(openvpn PUBLIC -lresolv) + endif () +endif () + + +if (BUILD_TESTING) + find_package(cmocka CONFIG) + if (TARGET cmocka::cmocka) + set(CMOCKA_LIBRARIES cmocka::cmocka) + else () + pkg_search_module(cmocka cmocka REQUIRED IMPORTED_TARGET) + set(CMOCKA_LIBRARIES PkgConfig::cmocka) + endif () + + set(unit_tests + "test_auth_token" + "test_buffer" + "test_crypto" + "test_misc" + "test_ncp" + "test_packet_id" + "test_pkt" + "test_provider" + ) + + if (WIN32) + list(APPEND unit_tests + "test_cryptoapi" + ) + endif () + + # MSVC and Apple's LLVM ld do not support --wrap + # This test requires cmake >= 3.18, so check if check_linker_flag is + # available + if (COMMAND check_linker_flag) + check_linker_flag(C -Wl,--wrap=parse_line LD_SUPPORTS_WRAP) + endif() + + if (${LD_SUPPORTS_WRAP}) + list(APPEND unit_tests + "test_argv" + "test_tls_crypt" + ) + endif () + + # These tests work on only on Linux since they depend on special Linux features + if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") + list(APPEND unit_tests + "test_networking" + ) + endif () + + foreach (test_name ${unit_tests}) + # test_networking needs special environment + if (NOT ${test_name} STREQUAL "test_networking") + add_test(${test_name} ${test_name}) + endif () + add_executable(${test_name} + tests/unit_tests/openvpn/${test_name}.c + tests/unit_tests/openvpn/mock_msg.c + tests/unit_tests/openvpn/mock_msg.h + src/openvpn/platform.c + src/openvpn/win32-util.c + src/compat/compat-gettimeofday.c + ) + + add_library_deps(${test_name}) + target_link_libraries(${test_name} PUBLIC ${CMOCKA_LIBRARIES}) + + target_include_directories(${test_name} PRIVATE src/openvpn) + + if (NOT ${test_name} STREQUAL "test_buffer") + target_sources(${test_name} PRIVATE + src/openvpn/buffer.c + ) + endif () + + endforeach() + + target_sources(test_auth_token PRIVATE + src/openvpn/base64.c + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_openssl.c + src/openvpn/crypto.c + src/openvpn/otime.c + src/openvpn/packet_id.c + ) + + target_sources(test_buffer PRIVATE + tests/unit_tests/openvpn/mock_get_random.c + ) + + target_sources(test_crypto PRIVATE + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_openssl.c + src/openvpn/crypto.c + src/openvpn/otime.c + src/openvpn/packet_id.c + src/openvpn/mtu.c + src/openvpn/mss.c + ) + + target_sources(test_misc PRIVATE + tests/unit_tests/openvpn/mock_get_random.c + src/openvpn/options_util.c + src/openvpn/ssl_util.c + ) + + target_sources(test_ncp PRIVATE + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_openssl.c + src/openvpn/crypto.c + src/openvpn/otime.c + src/openvpn/packet_id.c + src/openvpn/ssl_util.c + src/compat/compat-strsep.c + ) + + target_sources(test_packet_id PRIVATE + tests/unit_tests/openvpn/mock_get_random.c + src/openvpn/otime.c + src/openvpn/packet_id.c + src/openvpn/reliable.c + src/openvpn/session_id.c + ) + + target_sources(test_pkt PRIVATE + tests/unit_tests/openvpn/mock_win32_execve.c + src/openvpn/argv.c + src/openvpn/base64.c + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_openssl.c + src/openvpn/crypto.c + src/openvpn/env_set.c + src/openvpn/otime.c + src/openvpn/packet_id.c + src/openvpn/reliable.c + src/openvpn/run_command.c + src/openvpn/session_id.c + src/openvpn/ssl_pkt.c + src/openvpn/tls_crypt.c + ) + + target_sources(test_provider PRIVATE + tests/unit_tests/openvpn/mock_get_random.c + src/openvpn/xkey_provider.c + src/openvpn/xkey_helper.c + src/openvpn/base64.c + ) + + if (TARGET test_argv) + target_link_options(test_argv PRIVATE -Wl,--wrap=parse_line) + target_sources(test_argv PRIVATE + tests/unit_tests/openvpn/mock_get_random.c + src/openvpn/argv.c + ) + endif () + + if (TARGET test_cryptoapi) + target_sources(test_cryptoapi PRIVATE + tests/unit_tests/openvpn/mock_get_random.c + tests/unit_tests/openvpn/cert_data.h + src/openvpn/xkey_provider.c + src/openvpn/xkey_helper.c + src/openvpn/base64.c + ) + endif () + + if (TARGET test_networking) + target_link_options(test_networking PRIVATE -Wl,--wrap=parse_line) + target_compile_options(test_networking PRIVATE -UNDEBUG) + target_sources(test_networking PRIVATE + src/openvpn/networking_sitnl.c + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_openssl.c + src/openvpn/crypto.c + src/openvpn/otime.c + src/openvpn/packet_id.c + ) + endif () + + if (TARGET test_tls_crypt) + target_link_options(test_tls_crypt PRIVATE -Wl,--wrap=parse_line) + target_link_options(test_tls_crypt PRIVATE + -Wl,--wrap=buffer_read_from_file + -Wl,--wrap=buffer_write_file + -Wl,--wrap=rand_bytes) + target_sources(test_tls_crypt PRIVATE + tests/unit_tests/openvpn/mock_win32_execve.c + src/openvpn/argv.c + src/openvpn/base64.c + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_openssl.c + src/openvpn/crypto.c + src/openvpn/env_set.c + src/openvpn/otime.c + src/openvpn/packet_id.c + src/openvpn/run_command.c + ) + endif () + +endif (BUILD_TESTING) diff --git a/CMakePresets.json b/CMakePresets.json new file mode 100644 index 00000000000..135b19d029d --- /dev/null +++ b/CMakePresets.json @@ -0,0 +1,228 @@ +{ + "version": 3, + "configurePresets": [ + { + "name": "base", + "hidden": true, + "cacheVariables": { + "CMAKE_TOOLCHAIN_FILE": { + "value": "$env{VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake", + "type": "FILEPATH" + }, + "VCPKG_OVERLAY_TRIPLETS": { + "value": "${sourceDir}/contrib/vcpkg-triplets", + "type": "FILEPATH" + }, + "VCPKG_OVERLAY_PORTS": { + "value": "${sourceDir}/contrib/vcpkg-ports", + "type": "FILEPATH" + } + } + }, + { + "name": "base-windows", + "hidden": true, + "binaryDir": "${sourceDir}/out/build/${presetName}", + "generator": "Visual Studio 17 2022", + "cacheVariables": { + "VCPKG_MANIFEST_DIR": "${sourceDir}/contrib/vcpkg-manifests/windows", + "VCPKG_HOST_TRIPLET": "x64-windows" + }, + "vendor": { "microsoft.com/VisualStudioSettings/CMake/1.0": { "hostOS": [ "Windows" ] } } + }, + { + "name": "base-mingw", + "hidden": true, + "generator": "Ninja Multi-Config", + "cacheVariables": { + "CMAKE_SYSTEM_NAME": { + "value": "Windows", + "type": "STRING" + }, + "VCPKG_MANIFEST_DIR": "${sourceDir}/contrib/vcpkg-manifests/mingw" + } + }, + { + "name": "x64", + "hidden": true, + "architecture": { + "value": "x64", + "strategy": "set" + }, + "cacheVariables": { + "VCPKG_TARGET_TRIPLET": "x64-windows-ovpn" + } + }, + { + "name": "x64-mingw", + "hidden": true, + "binaryDir": "out/build/mingw/x64", + "cacheVariables": { + "CMAKE_C_COMPILER": { + "value": "x86_64-w64-mingw32-gcc", + "type": "STRING" + }, + "CMAKE_CXX_COMPILER": { + "value": "x86_64-w64-mingw32-g++", + "type": "STRING" + }, + "VCPKG_TARGET_TRIPLET": "x64-mingw-ovpn" + } + }, + { + "name": "arm64", + "hidden": true, + "architecture": { + "value": "arm64", + "strategy": "set" + }, + "cacheVariables": { + "VCPKG_TARGET_TRIPLET": "arm64-windows-ovpn" + } + }, + { + "name": "x86", + "hidden": true, + "architecture": { + "value": "Win32", + "strategy": "set" + }, + "cacheVariables": { + "VCPKG_TARGET_TRIPLET": "x86-windows-ovpn" + } + }, + { + "name": "i686-mingw", + "hidden": true, + "binaryDir": "out/build/mingw/x86", + "cacheVariables": { + "CMAKE_C_COMPILER": { + "value": "i686-w64-mingw32-gcc", + "type": "STRING" + }, + "CMAKE_CXX_COMPILER": { + "value": "i686-w64-mingw32-g++", + "type": "STRING" + }, + "VCPKG_TARGET_TRIPLET": "x86-mingw-ovpn" + } + }, + { + "name": "debug", + "hidden": true, + "cacheVariables": { + "CMAKE_BUILD_TYPE": "Debug" + } + }, + { + "name": "release", + "hidden": true, + "cacheVariables": { + "CMAKE_BUILD_TYPE": "Release" + } + }, + { + "name": "mingw-x64", + "inherits": [ "base", "base-mingw", "x64-mingw" ] + }, + { + "name": "mingw-x86", + "inherits": [ "base", "base-mingw", "i686-mingw" ] + }, + { + "name": "win-amd64-release", + "inherits": [ "base", "base-windows", "x64", "release" ] + }, + { + "name": "win-arm64-release", + "inherits": [ "base", "base-windows", "arm64", "release" ] + }, + { + "name": "win-x86-release", + "inherits": [ "base", "base-windows", "x86", "release" ] + }, + { + "name": "win-amd64-debug", + "inherits": [ "base", "base-windows", "x64", "debug" ] + }, + { + "name": "win-arm64-debug", + "inherits": [ "base", "base-windows", "arm64", "debug" ] + }, + { + "name": "win-x86-debug", + "inherits": [ "base", "base-windows", "x86", "debug" ] + }, + { + "name": "unix-native", + "generator": "Ninja Multi-Config", + "binaryDir": "out/build/unix" + } + ], + "buildPresets": [ + { + "name": "mingw-x64", + "configurePreset": "mingw-x64" + }, + { + "name": "mingw-x86", + "configurePreset": "mingw-x86" + }, + { + "name": "win-amd64-release", + "configurePreset": "win-amd64-release", + "configuration": "Release" + }, + { + "name": "win-arm64-release", + "configurePreset": "win-arm64-release", + "configuration": "Release" + }, + { + "name": "win-x86-release", + "configurePreset": "win-x86-release", + "configuration": "Release" + }, + { + "name": "win-amd64-debug", + "configurePreset": "win-amd64-debug", + "configuration": "Debug" + }, + { + "name": "win-arm64-debug", + "configurePreset": "win-arm64-debug", + "configuration": "Debug" + }, + { + "name": "win-x86-debug", + "configurePreset": "win-x86-debug", + "configuration": "Debug" + }, + { + "name": "unix-native", + "configurePreset": "unix-native" + } + ], + "testPresets": [ + { + "name": "win-amd64-release", + "configurePreset": "win-amd64-release" + }, + { + "name": "win-x86-release", + "configurePreset": "win-x86-release" + }, + { + "name": "win-amd64-debug", + "configurePreset": "win-amd64-debug" + }, + { + "name": "win-x86-debug", + "configurePreset": "win-x86-debug" + }, + { + "name": "unix-native", + "configurePreset": "unix-native" + } + ] +} diff --git a/COPYING b/COPYING index e12c5141429..00ecc27f621 100644 --- a/COPYING +++ b/COPYING @@ -1,6 +1,6 @@ OpenVPN (TM) -- An Open Source VPN daemon -Copyright (C) 2002-2023 OpenVPN Inc +Copyright (C) 2002-2024 OpenVPN Inc This distribution contains multiple components, some of which fall under different licenses. By using OpenVPN @@ -31,6 +31,48 @@ OpenVPN license: file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. +Apache2 linking exception: +--------------------------- + In addition, as a special exception, OpenVPN Inc and the + contributors give permission to link the code of this program to + libraries (the "Libraries") licensed under the Apache License + version 2.0 (this work and any linked library the "Combined Work") + and copy and distribute the Combined Work without an obligation to + license the Libraries under the GNU General Public License v2 + (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an + obligation to refrain from imposing any additional restrictions in + the Apache License version 2 that are not in the GPL-2.0, as + required by Section 6 of the GPL-2.0. You must comply with the + GPL-2.0 in all other respects for the Combined Work, including + the obligation to provide source code. If you modify this file, you + may extend this exception to your version of the file, but you are + not obligated to do so. If you do not wish to do so, delete this + exception statement from your version. + +For better understanding, in plain non-legalese English this basically says: + + * The intention for this license exception is to allow OpenVPN to be + linked against APL-2 licensed libraries, even where the GPL-2.0 and + APL-2 licenses conflict from a legal perspective. + + * OpenVPN itself will stay GPL-2.0 and the code belonging to the + OpenVPN project must comply to the GPL-2.0 license. This is NOT + dual-licensing of the OpenVPN code base. + + * This license exception DOES NOT require NOR expect a license change + of the APL-2 based library. This exception allows using the APL-2 + library as-is. However, when distributing a compiled OpenVPN binary + linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is + that the APL-2 library MUST also be available on similar terms as in + GPL-2.0, like providing the source code of the library upon request, + except in the two specific ways mentioned. + + * If the APL-2 based library forbids such linking and distribution, + this license exception DOES NOT overrule the restriction of the APL-2 + based library. If the APL-2 library cannot satisfy the requirements + in this license exception, you CANNOT distribute an OpenVPN binary + linked with this library. + LZO license: ------------ diff --git a/ChangeLog b/ChangeLog index cd7c0b1b365..2508ef0de21 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,385 @@ OpenVPN ChangeLog -Copyright (C) 2002-2023 OpenVPN Inc +Copyright (C) 2002-2024 OpenVPN Inc + +2024.03.20 -- Version 2.6.10 + +Christoph Schug (1): + Update documentation references in systemd unit files + +Frank Lichtenheld (6): + Fix typo --data-cipher-fallback + samples: Remove tls-*.conf + check_compression_settings_valid: Do not test for LZ4 in LZO check + t_client.sh: Allow to skip tests + Update Copyright statements to 2024 + GHA: general update March 2024 + +Lev Stipakov (4): + win32: Enforce loading of plugins from a trusted directory + interactive.c: disable remote access to the service pipe + interactive.c: Fix potential stack overflow issue + Disable DCO if proxy is set via management + +Martin Rys (1): + openvpn-[client|server].service: Remove syslog.target + +Max Fillinger (1): + Remove license warning from README.mbedtls + +Selva Nair (1): + Document that auth-user-pass may be inlined + +wellweek (1): + remove repetitive words in documentation and comments + + +2024.02.11 -- Version 2.6.9 + +Arne Schwabe (15): + Remove unused function prototype crypto_adjust_frame_parameters + Log SSL alerts more prominently + Document tls-exit option mainly as test option + Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway + Fix check_session_buf_not_used using wrong index + Add missing check for nl_socket_alloc failure + Add check for nice in cmake config + Remove compat versionhelpers.h and remove cmake/configure check for it + Extend the error message when TLS 1.0 PRF fails + Fix unaligned access in macOS, FreeBSD, Solaris hwaddr + Check PRF availability on initialisation and add --force-tls-key-material-export + Make it more explicit and visible when pkg-config is not found + Clarify that the tls-crypt-v2-verify has a very limited env set + Implement the --tls-export-cert feature + Remove conditional text for Apache2 linking exception + +David Sommerseth (2): + Remove --tls-export-cert + Remove superfluous x509_write_pem() + +Frank Lichtenheld (14): + sample-keys: renew for the next 10 years + GHA: clean up libressl builds with newer libressl + configure.ac: Remove unused AC_TYPE_SIGNAL macro + documentation: remove reference to removed option --show-proxy-settings + unit_tests: remove includes for mock_msg.h + documentation: improve documentation of --x509-track + NTLM: add length check to add_security_buffer + NTLM: increase size of phase 2 response we can handle + proxy-options.rst: Add proper documentation for --http-proxy-user-pass + buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' + --http-proxy-user-pass: allow to specify in either order with --http-proxy + README.cmake.md: Document minimum required CMake version for --preset + documentation: Update and fix documentation for --push-peer-info + documentation: Fixes for previous fixes to --push-peer-info + +Gert Doering (4): + OpenBSD: repair --show-gateway + get_default_gateway() HWADDR overhaul + fix uncrustify complaints about previous patch + preparing release 2.6.9 + +Kristof Provost (1): + dco-freebsd: dynamically re-allocate buffer if it's too small + +Lev Stipakov (1): + tun.c: don't attempt to delete DNS and WINS servers if they're not set + +Marc Becker (1): + vcpkg-ports/pkcs11-helper: bump to version 1.30 + +Max Fillinger (4): + Add support for mbedtls 3.X.Y + Update README.mbedtls + Disable TLS 1.3 support with mbed TLS + Enable key export with mbed TLS 3.x.y + +Reynir Bjoernsson (1): + protocol_dump: tls-crypt support + +Steffan Karger (1): + Fix IPv6 route add/delete message log level + +yatta (1): + fix(ssl): init peer_id when init tls_multi + + +2023.11.17 -- Version 2.6.8 + +Aquila Macedo (1): + doc: Correct typos in multiple documentation files + +Arne Schwabe (1): + Do not check key_state buffers that are in S_UNDEF state + +Frank Lichtenheld (1): + platform.c: Do not depend Windows build on HAVE_CHDIR + +Lev Stipakov (3): + config.h: fix incorrect defines for _wopen() + Make --dns options apply for tap-windows6 driver + Warn if pushed options require DHCP + + +2023.11.08 -- Version 2.6.7 + +Antonio Quartulli (1): + dco: fix crash when --multihome is used with --proto tcp + +Arne Schwabe (8): + Mock openvpn_exece on win32 also for test_tls_crypt + Add warning for the --show-groups command that some groups are missing + Print peer temporary key details + Add warning if a p2p NCP client connects to a p2mp server + Remove openssl engine method for loading the key + Remove saving initial frame code + Double check that we do not use a freed buffer when freeing a session + Fix using to_link buffer after freed + +Frank Lichtenheld (7): + GHA: do not trigger builds in openvpn-build anymore + GHA: new workflow to submit scan to Coverity Scan service + buffer: use memcpy in buf_catrunc + vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6 + CMake: backport CMake buildsystem from master to release/2.6 + Remove all traces of the previous MSVC build system + doc: fix argument name in --route-delay documentation + +Heiko Hund (1): + dns option: remove support for exclude-domains + +Lev Stipakov (3): + Warn user if INFO control command is too long + dco-win: get driver version + dco: warn if DATA_V1 packets are sent to userspace + +Selva Nair (2): + Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant + Log OpenSSL errors on failure to set certificate + +orbea (1): + configure: disable engines if OPENSSL_NO_ENGINE is defined + + +2023.08.14 -- Version 2.6.6 + +Antonio Quartulli (1): + configure.ac: fix typ0 in LIBCAPNG_CFALGS + +Arne Schwabe (8): + Avoid unused function warning/error on FreeBSD (and potientially others) + fix warning with gcc 12.2.0 (compiler bug?) + Fix CR_RESPONSE mangaement message using wrong key_id + Print a more user-friendly error when tls-crypt-v2 client auth fails + Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 + Revert commit 423ced962d + Implement using --peer-fingerprint without CA certificates + show extra info for OpenSSL errors + +David Sommerseth (1): + ntlm: Clarify details on NTLM phase 3 decoding + +Frank Lichtenheld (8): + dist: add more missing files only used in the MSVC build + dist: Include all documentation in distribution + unit_tests: Add missing cert_data.h to source list for unit tests + test_tls_crypt: Improve mock() usage to be more portable + Remove old Travis CI related files + options: Do not hide variables from parent scope + pkcs11_openssl: Disable unused code + route: Fix overriding return value of add_route3 + +George Pchelkin (1): + fix typo: dhcp-options to dhcp-option in vpn-network-options.rst + +Gert Doering (1): + Make received OCC exit messages more visible in log. + +Heiko Hund (1): + work around false positive warning with mingw 12 + +Lev Stipakov (3): + tun.c: enclose DNS domain in single quotes in WMIC call + manage.c: document missing KID parameter + Set WINS servers via interactice service + +Sergey Korolev (1): + dco-linux: fix counter print format + + +2023.06.13 -- Version 2.6.5 + +Arne Schwabe (1): + Fix use-after-free with EVP_CIPHER_free + +Frank Lichtenheld (6): + dco_linux: properly close dco version file + DCO: fix memory leak in dco_get_peer_stats_multi for Linux + Fix two unused assignments + sample-plugins: Fix memleak in client-connect example plugin + options: remove --key-method from usage message + msvc-generate: include version.m4.in in tarball + +Ilya Shipitsin (1): + src/openvpn/dco_freebsd.c: handle malloc failure + +Lev Stipakov (2): + dco-win: support for --dev-node + tapctl: generate driver-specific adapter names + +Selva Nair (2): + Correctly handle Unicode names for exit event + Interactive service: do not force a target desktop for openvpn.exe + + +2023.05.11 -- Version 2.6.4 + +Arne Schwabe (3): + Remove unused variable line + Add Apache2 linking with for new commits + Fix compile error on TARGET_ANDROID + +Frank Lichtenheld (2): + man page: Remove cruft from --topology documentation + tests: do not include t_client.sh in dist + +Kristof Provost (1): + DCO: support key rotation notifications + +Michael Nix (1): + fix typo in help text: --ignore-unknown-option + +Selva Nair (2): + Format Windows error message in Unicode + Bugfix: dangling pointer passed to pkcs11-helper + + +2023.04.13 -- Version 2.6.3 + +Frank Lichtenheld (3): + GHA: remove Ubuntu 18.04 builds + vcpkg: request "tools" feature of openssl for MSVC build + doc: run rst2* with --strict to catch warnings + +Lev Stipakov (1): + Support of DNS domain for DHCP-less drivers + +Selva Nair (1): + Bug-fix: segfault in dco_get_peer_stats() + +2023.03.24 -- Version 2.6.2 + +Antonio Quartulli (6): + dco: don't use NetLink to exchange control packets + dco: print version to log if available + dco-linux: remove M_ERRNO flag when printing netlink error message + multi: don't call DCO APIs if DCO is disabled + dco-freebsd: use m->instances[] instead of m->hash + dco-linux: implement dco_get_peer_stats{, multi} API + +Arne Schwabe (12): + Set netlink socket to be non-blocking + Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key + Fix memory leaks in open_tun_dco() + Fix memory leaks in HMAC initial packet generation + Use key_state instead of multi for tls_send_payload parameter + Make sending plain text control message session aware + Only update frame calculation if we have a valid link sockets + Improve description of compat-mode + Simplify --compress parsing in options.c + Refuse connection if server pushes an option contradicting allow-compress + Add 'allow-compression stub-only' internally for DCO + Parse compression options and bail out when compression is disabled + +Frank Lichtenheld (1): + tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled + +Gert Doering (1): + preparing release 2.6.2 + +Heiko Hund (1): + dns option: allow up to eight addresses per server + +Kristof Provost (1): + dco: print FreeBSD version + +Lev Stipakov (4): + Support --inactive option for DCO + Fix '--inactive